Skip to main content
Security

Responsible disclosure policy

CHIMERA appreciates reports from the security community. Researchers who follow this policy will not face legal action from CHIMERA under CFAA, DMCA, the UK Computer Misuse Act, or equivalent laws. This safe-harbor is unilateral — we commit to it even if you do nothing in return.

Scope

In scope

  • VPN client apps (Windows / macOS / Linux / iOS / Android)
  • VPN node protocol implementations (WireGuard-TLS, VLESS-XTLS, Shadowsocks 2022, OpenVPN+obfs4, HTTP/2 CDN tunnel, WebRTC stego)
  • Billing backend (chimera-billing)
  • Release signing + update manifests
  • Storefront (chimera.tw)
  • Warrant canary pipeline

Out of scope

  • Social-engineering targeting CHIMERA operators or users
  • Physical attacks on infrastructure
  • Denial-of-service (volume-based)
  • Findings against third-party providers (Njalla, FlokiNET, CryptoCloud, BTCPay-hosted instances not under our key)
  • PrivacyProof site (privacyproof.example) — separate project, separate disclosure at that site's /legal/security
How to report

Send an encrypted report via one of the following channels. All three point to the same recipient; redundancy exists for resilience.

  1. SimpleX Chat (preferred): https://simplex.chat/contact#/?v=2-7&smp=PLACEHOLDER-security-handle
  2. GPG-encrypted email: security@chimera.tw
    Public key: https://chimera.tw/.well-known/pgp-security.asc
  3. Tor-only submission form (onion mirror only; use this if you cannot trust the clearnet side): link in /canary footer
What to include
  • Affected component + version (v1.0.0, commit hash if from source)
  • Reproduction steps, ideally with a minimal PoC
  • Impact assessment (what could an attacker do)
  • Suggested fix if you have one — not required
  • Whether you would like acknowledgement in our hall of fame
Response SLA
Acknowledgement
within 72 hours
Triage + severity
within 7 days
Fix + disclosure coordination
30 days (critical) / 90 days (other)
Bounty pay-out (if eligible)
within 14 days of coordinated disclosure
Bounties

CHIMERA pays in Monero or USDT-TRC20 (researcher's choice). No KYC, no real-name requirement — pseudonymous pay-out is fine. Amounts depend on severity, exploitability, and whether a working PoC is included. Detailed rubric + multipliers is in BUG_BOUNTY.md in the source repo; the tiers below are indicative.

Critical
$2 000 – $10 000
High
$500 – $2 000
Medium
$150 – $500
Low / info
$0 – $150
Acknowledgements

No disclosures yet — this is expected pre-launch and in the early weeks after. Researchers will be listed here at their option, by pseudonym if they prefer.