Chainalysis Vulnerability Disclosure Policy

Last updated: May 15th, 2024

Chainalysis welcomes responsible disclosure of security vulnerabilities from researchers. If you believe you have found a vulnerability in a Chainalysis product or on https://chainalysis.com , please notify us promptly at [email protected].

When reporting, please:

• Provide a detailed description, URL, screenshots/sample code
• Avoid accessing or destroying user data
• Stop testing once a vulnerability is established to prevent further harm
• Keep vulnerability details confidential until we confirm the issue is resolved

In-scope systems:

• https://chainalysis.com
• https://reactor.chainalysis.com
• https://kyt.chainalysis.com
• https://kryptos.chainalysis.com
• https://api.sanctions.chainalysis.com

Out-of-scope activity:

Spam, social engineering, DDoS attacks

Chainalysis commits to:

• Promptly investigating reports
• Fixing confirmed vulnerabilities
• Publicly recognizing researchers
• Offering rewards for valid, high severity issues

We aim to respond within a few days and will communicate throughout the process. Please allow time for us to thoroughly investigate and remediate issues before public disclosure. We will reply to any submission that is considered to be of significant impact to Chainalysis. 

Bulk submissions, issues we are already aware of, or any issues that are regarded to be of negligible impact may not receive a response. 

By participating in security research, you agree to comply with applicable laws and avoid harm to Chainalysis systems and data.

Thank you for helping keep Chainalysis secure. Together, we can responsibly identify and resolve vulnerabilities.