The security of our users and the integrity of the Covalent EWM light-client project are of utmost importance to us. We appreciate the efforts of security researchers, white hat hackers and the community in helping us identify and responsibly disclose any vulnerabilities or security issues.

If you discover a security vulnerability or issue within the Covalent EWM light-client project or its associated smart contracts, please report it to us responsibly by following these steps:

1. Send an email to our security team at security@covalenthq.com with a line on telegram t.me/noslav or discord for quick communication with the following details:

   • A clear and concise description of the vulnerability or issue.
   • Steps to reproduce the vulnerability or issue.
   • Any relevant technical details, such as affected versions or components.
   • Your contact information for further communication.

2. Do not disclose the vulnerability or issue publicly until we have had sufficient time to investigate and address it.

3. We will acknowledge receipt of your report within 36 hours and provide an estimated timeline for addressing the issue.

4. We will keep you informed about the progress of fixing the vulnerability and may ask for additional information or clarification if needed.

5. Once the vulnerability is fixed, we will publicly acknowledge your responsible disclosure via x/twitter or discord, unless you prefer to remain anonymous.

To encourage and reward the responsible disclosure of security vulnerabilities, we offer a bug bounty program. Depending on the severity and impact of the reported vulnerability, we provide bounties in the form of our primary staking ERC-20 token, CXT, from the CXT community reserve. See tokenomics for more details.

The bounty amounts are determined based on the severity of the vulnerability and its potential impact on the project and its users. Please refer to our previous bounties for the refiner testnet programme to get an idea of the reward structure.

The following components and areas are within the scope of our security policy and bug bounty program:

• The Covalent EWM light-client repository and its associated smart contracts within ./contracts, tests within ./test and scripts within ./scripts.
• The core functionality and security of the light-client NFT contracts and its interactions on the Base EVM blockchain.
• Any vulnerabilities that could lead to the compromise of user funds or sensitive information.

The following areas are considered out of scope for our security policy and bug bounty program:

• Third-party libraries, dependencies, or services used by the project, unless specifically integrated or modified by us.
• Vulnerabilities in the underlying blockchain platform or network, such as Ethereum or Base.
• Social engineering attacks or phishing attempts.
• Denial of Service (DoS) attacks or other network-related issues.

We kindly request that you follow responsible disclosure practices when reporting security vulnerabilities. This includes:

• Providing us with sufficient time to investigate and address the vulnerability before public disclosure.
• Not exploiting the vulnerability for personal gain or causing harm to the project, its users, or any other parties.
• Respecting the confidentiality of the disclosure process and not sharing information about the vulnerability with others until it has been addressed.

If you have any questions or concerns regarding the security of the Covalent EWM light-client project, please contact us at discord.

We appreciate your efforts in helping us maintain the security and integrity of our project. Thank you for your responsible disclosure and collaboration.