BlackHartBlackHart

Responsible Disclosure Policy

Last updated: May 2026

BlackHart Inc. conducts proactive security research on DeFi protocols to protect user funds. This policy describes how we handle the disclosure of vulnerabilities we discover.

01 //

Our Commitment

BlackHart Inc. conducts proactive, unsolicited security research on DeFi protocols. When we discover vulnerabilities that put user funds at risk, we follow a structured responsible disclosure process modeled on industry standards (Google Project Zero, CERT/CC).

02 //

Disclosure Process

When a vulnerability is discovered:

  • We make reasonable efforts to contact the protocol team directly through verified channels
  • We provide a detailed technical report including severity assessment, attack path analysis, and proof-of-concept
  • We grant a remediation window before any public release
  • We work with the team to verify fixes when engaged to do so
03 //

The 90-Day Disclosure Timeline

For Critical-severity, permissionless vulnerabilities (exploitable by any external actor without special access):

  • Day 0: Protocol team is notified through the BlackHart portal. Viewing the disclosure starts the countdown.
  • Days 1–90: Remediation window. We are available to verify fixes and provide guidance.
  • Day 90: If unresolved, the finding is made publicly available with sufficient detail for the community to assess risk.
  • Extensions: We may grant extensions for protocols demonstrating active, good-faith remediation efforts. Extensions are granted at our discretion and communicated in writing.
04 //

Non-Critical Findings

Findings that require admin action, social engineering, or user misconfiguration to exploit follow a private disclosure model. These are shared exclusively with the protocol team through the portal and are not subject to the 90-day timeline.

05 //

What We Publish

Public disclosures include: vulnerability description, severity and terminal state classification, affected contracts, and remediation status.

We do NOT publish: working exploit code, specific attack parameters that would enable immediate exploitation, or information about unrelated vulnerabilities discovered during the same engagement.

06 //

Safe Harbor

BlackHart Inc. conducts research in read-only or fork environments. We do not exploit vulnerabilities on mainnet. Our proofs-of-concept are validated exclusively on mainnet forks using Foundry. We do not front-run, extract value, or interfere with protocol operations.

07 //

For Protocol Teams

If you have been notified of a disclosure: Sign in to your BlackHart portal to view the full technical report. If you need additional time, contact us at disclosure@blackhart.io with your remediation timeline. We want to work with you, not against you.

08 //

For Security Researchers

BlackHart Inc. does not currently operate a bug bounty program. If you have discovered a vulnerability in a protocol we cover, contact us at researchers@blackhart.io. Do not disclose vulnerabilities publicly without coordinating with the affected protocol.

09 //

Industry Alignment

This policy is aligned with:

  • Google Project Zero (90-day disclosure)
  • CERT/CC Vulnerability Disclosure Policy
  • ISO/IEC 29147:2018 (Vulnerability disclosure)

We believe coordinated disclosure protects users while holding protocols accountable for security.

10 //

Contact

For disclosure-related inquiries:

disclosure@blackhart.io

Include “DISCLOSURE” in the subject line for priority routing.