Current Status

External audits are planned but not completed yet. Current security posture is based on internal testing, role-gated access controls, pause/unpause safety controls, and manual operational checks.

No bug bounty program is active at this time. Any future bounty will be announced publicly with explicit scope, rules, and rewards.

Phase 1: Baseline Hardening

• Contract-level role restrictions for critical setters and privileged flows.
• Pause controls for high-impact modules (Funding Pool, Voting, Grant Manager, Faucet).
• Unit/integration tests for core lifecycle: idea, round, vote, payout, completion.
• Clear error surfacing in frontend for role/status/revert conditions.

Phase 2: External Audits (Planned)

• Scope audit for core contracts: VotingSystem, IdeaRegistry, FundingPool, GrantManager, token extensions.
• Pre-audit freeze: no new features during audit cycle.
• Post-audit remediation with documented fix list and re-test evidence.
• Public summary with findings severity and mitigation status.

Phase 3: Runtime Security Controls

• Automated monitoring for abnormal pause events and failed transaction patterns.
• Upgrade runbook with explicit preflight and post-deploy verification steps.
• Operator key policy hardening (separation of duties, restricted admin paths).

Phase 4: Program Launches (Planned)

• Potential launch of a responsible vulnerability rewards program (currently not active).
• Formalized disclosure SLAs for critical and high severity reports.
• Security KPIs published with regular status updates.

Incident Response Baseline

Default response flow: pause -> isolate -> diagnose -> patch -> verify -> unpause. No production resume before root-cause verification and regression checks.