Chainalysis Vulnerability Disclosure Policy

Last updated: May 15th, 2024

Chainalysis welcomes responsible disclosure of security vulnerabilities from researchers. If you believe you have found a vulnerability in a Chainalysis product or on https://chainalysis.com , please notify us promptly at [email protected].

When reporting, please:

• Provide a detailed description, URL, screenshots/sample code
• Avoid accessing or destroying user data
• Stop testing once a vulnerability is established to prevent further harm
• Keep vulnerability details confidential until we confirm the issue is resolved

In-scope systems:

• https://chainalysis.com
• https://reactor.chainalysis.com
• https://kyt.chainalysis.com
• https://kryptos.chainalysis.com
• https://api.sanctions.chainalysis.com

Out-of-scope activity:

Spam, social engineering, DDoS attacks

Chainalysis commits to:

• Promptly investigating reports
• Fixing confirmed vulnerabilities
• Publicly recognizing researchers

We appreciate the work of security researchers in helping us identify and address potential vulnerabilities. Your input supports our ongoing efforts to keep our systems secure.

Bulk submissions, issues we are already aware of, or any issues that are regarded to be of negligible impact may not receive a response. 

By participating in security research, you agree to comply with applicable laws and avoid harm to Chainalysis systems and data.

Thank you for helping keep Chainalysis secure. Together, we can responsibly identify and resolve vulnerabilities.