RelayGuard

Responsible disclosure

Last updated: May 25, 2026

We appreciate security researchers who help keep RelayGuard and our customers safe. If you believe you have found a vulnerability, please report it to us before public disclosure.

Contact

Email [email protected] with the subject line Security report — RelayGuard.

Include as much detail as you can:

  • Description of the issue and potential impact
  • Steps to reproduce (URLs, request samples, screenshots)
  • Affected component (gateway, dashboard, API, marketing site)
  • Your timezone and preferred contact method for follow-up

Scope

In scope:

  • gateway.0xrelayguard.com — RPC gateway and public status endpoints
  • app.0xrelayguard.com — dashboard and control plane API
  • 0xrelayguard.com — marketing and documentation site
  • Authentication, authorization, tenant isolation, and secret-handling bugs in the above

Out of scope

  • Third-party RPC providers you connect (Alchemy, Infura, etc.) — report to them directly
  • Social engineering, phishing, or physical attacks
  • Denial-of-service tests against production without prior written approval
  • Issues in dependencies with no exploitable path in RelayGuard
  • Missing security headers with no demonstrated impact
  • Reports from automated scanners without a verified exploit

Rules of engagement

  • Test only against workspaces and accounts you own, or with our explicit written permission
  • Do not access, modify, or delete other customers' data
  • Do not exfiltrate data beyond the minimum needed to demonstrate impact
  • Stop testing once you have confirmed the issue and notify us
  • Give us reasonable time to remediate before any public disclosure (we aim for 90 days)

Safe harbor

If you follow this policy and act in good faith, we will not pursue legal action against you for security research that stays within these rules. We may still involve law enforcement for malicious activity outside this policy.

What to expect

  • Acknowledgment — we aim to respond within 3 business days
  • Updates — we will keep you informed as we investigate and fix validated issues
  • Recognition — with your permission, we may credit you in release notes or a security acknowledgments page

We do not currently offer a paid bug bounty program. We are a small team and appreciate responsible reports that help us ship fixes quickly.

Related