Skip to content

docs: expand SECURITY.md with disclosure policy and audit references #1031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
IAM-CW wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: expand SECURITY.md with disclosure policy and audit references #1031

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 52 additions & 7 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,58 @@
# Uniswap Labs Security
# Security Policy

## Vulnerability Disclosure and Bug Bounty
## Reporting a Vulnerability

Bug bounty details can be found in https://uniswap.org/bug-bounty
**⚠️ Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.**

## Careers
If you discover a security vulnerability in Uniswap v4, please report it responsibly through one of these channels:

See our available job openings in https://boards.greenhouse.io/uniswaplabs
1. **Bug Bounty** (preferred): Submit through the [Uniswap Bug Bounty Program](https://uniswap.org/bug-bounty)
2. **Email**: Send details to [security@uniswap.org](mailto:security@uniswap.org)

## Security Team Contact Details
### What to Include

Please contact us through the bug bounty https://uniswap.org/bug-bounty or directly via [security@uniswap.org](mailto:security@uniswap.org)
- Description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Affected contract(s) and function(s)
- Suggested fix, if applicable

### Response Timeline

| Timeframe | Action |
|-----------|--------|
| 24 hours | Acknowledgment of report |
| 72 hours | Initial severity assessment |
| 7 days | Detailed response with remediation plan |
| 90 days | Coordinated public disclosure |

## Bug Bounty Program

Uniswap maintains one of the largest bug bounty programs in DeFi, offering up to **$15.5 million** for critical vulnerabilities.

Full program details, scope, and reward tiers are available at [uniswap.org/bug-bounty](https://uniswap.org/bug-bounty).

## Security Audits

The v4-core codebase has undergone extensive security review, including nine independent audits and the largest security competition in DeFi history.

| Auditor | Scope | Report |
|---------|-------|--------|
| OpenZeppelin | Core contracts | [View Report](https://blog.openzeppelin.com/uniswap-v4-core-audit) |

For the complete list of audit reports across all protocol versions, see the [Uniswap documentation](https://docs.uniswap.org).

## Supported Versions

| Version | Status |
|---------|--------|
| v4 | ✅ Active — full support and active bug bounty |
| v3 | ✅ Active — security fixes and active bug bounty |
| v2 | ⚠️ Maintenance — critical security fixes only |
| v1 | ❌ End of life |

## Additional Resources

- [Uniswap Bug Bounty Program](https://uniswap.org/bug-bounty)
- [Uniswap Documentation](https://docs.uniswap.org)
- [Security Audit Reports](https://docs.uniswap.org)
- [Careers at Uniswap Labs](https://boards.greenhouse.io/uniswaplabs)