LogoLogo
  • Tally Docs
  • Tally Features
    • What is Tally?
    • Token Launch
      • Claim
      • Governance Smart Contracts
      • Token Wrapper
      • Delegate Registration & Claim-and-Delegate
    • Value Accrual with Staking
      • Features & Use Cases
      • FAQ
      • Glossary
    • Governance
      • Advanced Features
        • MultiGov
        • Advanced Voting
          • Flexible Voting Extension
          • Signal Voting
            • Snapshot
          • Private Voting
        • Partial Delegation
        • Security Council Elections
        • Chain Integration
        • Proposal Templates
        • Optimistic Governance
        • Gasless Voting and Delegation (Relay)
          • Gasless Voting
          • Gasless Delegation
        • Integrations
          • Karma - Delegate Scoring
          • Discourse
          • Safe
      • Standard Features
    • Tally API
    • Tally Zero
  • How to Use Tally
    • Navigate the Tally homepage
    • Set up a Tally Profile
    • Create Proposals
      • Custom Actions
        • Chain Deployment of Uniswap v3
        • Token Vesting with Hedgey
        • Token Grants with Hedgey
        • Streaming Payments with Sablier
        • Tuple Support
      • Swaps
        • Swaps: FAQs
      • Draft Proposals
      • Test Proposals
    • Execute Proposals
      • Advanced Execution
    • Delegate on Tally
      • Delegates Page
      • Delegate Voting Power
      • Create a Delegate Statement
    • Vote on Tally
    • Stake on Tally
    • Get Notifications on Tally
    • Use Tally with a Gnosis Safe
      • Vote with a Gnosis Safe
      • Zodiac Governor Module for SubDAOs and Grants Programs
      • Upgrade Gnosis Safe to Governor with Zodiac
    • Participate in Security Council Elections
    • Using Ledger with Solana
  • Set up & Technical Documentation
    • Tally Architecture
    • Deploy a Governor DAO
      • Deploy a Governor
        • Deploy a Governor with a new token
      • Add a Governor to an existing token
      • Check for Token Contract Compatibility
        • Network Support
        • OpenZeppelin Governor
        • Compound Governor Bravo
        • Tokens: ERC-20 and NFTs
      • Choose Governor parameters
    • Add a DAO to Tally
      • DAO Admins
      • DAO Settings
    • Use Governor with Gnosis Safe
      • Gnosis Safe Overview
      • Zodiac Governor Module for SubDAOs and Grants Programs
      • Upgrade Gnosis Safe to Governor with Zodiac
    • Staking Contracts
      • Get Started
      • How Staking Works
        • Liquid Staking Tokens
          • LST Auto delegates
      • DeFi Integration Guide
      • FAQ & Troubleshooting
    • Security
    • Chain Compatibility
  • Education
    • Intro to Governance
      • General Ecosystem Info
      • Participating in Governance
    • Governance Concepts
      • Decentralized Governance Overview
      • Onchain vs Offchain Voting
      • Application Layer vs. Base Layer Governance
      • Governance Execution Methods
      • Procedural Governance
      • Vote Delegation
    • Governance Frameworks
      • OpenZeppelin Governor
      • Curve Voting Escrow
      • Multisigs
      • Snapshot Polls
    • DAO Best Practices
      • Running an Onchain DAO Using OpenZeppelin Governor
    • Index of DAOs
      • DAOs on Tally
        • Aave (AAVE)
        • Ampleforth (FORTH)
        • Arbitrum (ARB)
        • Compound (COMP)
        • Gitcoin (GTC)
        • GMX
        • Idle Finance (IDLE)
        • Inverse Finance (INV)
        • PoolTogether (POOL)
        • Uniswap (UNI)
        • ZKsync
      • DAOs Not on Tally
        • Balancer (BAL)
        • Curve (CRV)
        • Index Coop (INDEX)
        • KyberDAO (KNC)
        • MakerDAO (MKR)
        • Sushi (SUSHI)
  • Resources
    • Tally Platform
    • Blog
    • DAO Talk Podcast
    • Newsletter
    • Twitter / X
  • Payment Addresses
Powered by GitBook
On this page
  • Scope
  • Guidelines for Security Researchers
  • Reporting Process
  • Reward Structure
  • Public Disclosure
  • Safe Harbor
  • Contact
  • Updates to Policy

Was this helpful?

Export as PDF
  1. Set up & Technical Documentation

Security

Tally Security Vulnerability Disclosure Policy

At Tally, we take security seriously and value the contributions of security researchers who help keep our platform and users safe. This policy provides guidelines for conducting security research and reporting vulnerabilities responsibly.

To report a vulnerability, reach out to security@tally.xyz

Scope

In Scope

  • Main application at tally.xyz

  • Associated subdomains

  • API endpoints

  • Web application functionality

  • Authentication mechanisms

  • Smart contract interactions

Out of Scope

  • Denial of Service (DoS) attacks

  • Spam attacks

  • Social engineering attacks

  • Physical security attacks

  • Third-party applications or websites

  • Issues already reported by another researcher

  • Issues in third-party dependencies that are already publicly known

Guidelines for Security Researchers

  1. Do No Harm:

    • Do not attempt to access, modify, or delete data belonging to other users

    • Do not attempt to degrade or disrupt our services

    • Do not use automated scanning tools without explicit permission

    • Do not attempt to phish or social engineer our employees or users

  2. Testing Requirements:

    • Only test against accounts you own or have explicit permission to test

    • Create a separate test account for security research

    • Do not test in a way that could impact other users or the platform's stability

    • Immediately stop testing if you encounter sensitive user data

Reporting Process

    • Detailed description of the vulnerability

    • Steps to reproduce

    • Proof of concept

    • Impact assessment

    • Suggested remediation (if any)

  1. Response Timeline:

    • Initial acknowledgment: Within 24 hours

    • Triage and severity assessment: Within 3 business days

    • Regular updates on fix progress: Every 5 business days

    • Resolution timeline based on severity:

      • Critical: 7 days

      • High: 30 days

      • Medium: 60 days

      • Low: 90 days

Reward Structure

Rewards are based on severity and quality of report:

Severity
Reward Range

Critical

$5,000-$25,000

High

$2,500-$5,000

Medium

$500-$2,000

Low

$100-500

Severity Criteria

Critical:

  • Direct loss of user funds

  • Smart contract vulnerabilities leading to theft

  • Remote code execution

  • Access to private keys or sensitive credentials*

High:

  • Authentication bypass

  • Significant disclosure of private information

  • Injecting malicious transactions for users to sign

  • Stored cross-site scripting

  • Session hijacking

Medium:

  • Reflected cross-site scripting

  • Cross-site request forgery

  • Smart contract vulnerabilities affecting liveness

Low:

  • Missing security headers

  • Non-sensitive user data exposure

  • Race conditions without direct security impact

*Note that public environment variables such as RPC endpoints are not considered sensitive.

Public Disclosure

  • Please allow us 90 days before public disclosure

  • Coordinate disclosure timing with our security team

  • We encourage responsible disclosure through our bug bounty email address

  • Credit will be given to researchers who follow these guidelines

Safe Harbor

We will not pursue legal action against researchers who:

  • Follow this responsible disclosure policy

  • Make good faith efforts to avoid privacy violations, destruction of data, and interruption or degradation of our services

  • Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the vulnerability

Contact

Updates to Policy

This policy may be updated from time to time. Please review it before starting any security research or submitting reports.

PreviousFAQ & TroubleshootingNextChain Compatibility

Last updated 3 months ago

Was this helpful?

Initial Report: Submit your findings through our secure bug reporting platform or email with:

Primary Contact:

security@tally.xyz
security@tally.xyz