Security & disclosure

Reporting a vulnerability

Send a report to security@sour.finance. Include a description of the issue, reproduction steps, and your preferred contact handle for follow-up. Do not file a public GitHub issue for security-sensitive findings.

We acknowledge reports within 72 hours. Critical issues affecting funds are triaged immediately. We will work with you on a coordinated disclosure timeline that matches the severity.

In scope

• The Sour program at souryQgnM1xiNuGcmVYLPGT3MKqnGN8QTqP8zk8eape (mainnet).
• The SDK and instruction-builder code at github.com/GageBachik/sour.
• The frontend at sour.finance and app.sour.finance — XSS, auth bypass, transaction-construction issues.
• Server endpoints under app.sour.finance/api/* — RPC proxy abuse, cache poisoning, IDOR.

Out of scope

• Third-party services — Pyth oracle, Solana RPC providers, wallet adapters.
• Issues that require physical access, social engineering, or compromise of an operator account.
• Volumetric DoS against public endpoints. (Report it, but it is not a payable finding.)
• Self-inflicted user errors (lost seed phrase, wrong-network sends, etc).

Bounty stance

Sour does not have a formal bounty program with published payouts as of v1.0.7. We pay reasonable bounties on critical findings via case-by-case negotiation with the reporter. The verified portion of the protocol — settlement math, aggregate budget — already passed 18 Kani proofs and a Lean check, so most credible findings will be in the surrounding code, the frontend, or the deployment layer.

A formal bounty program with published tiers will land alongside the first third-party audit.

Reference

Disclosure email

security@sour.finance

Program (mainnet)

souryQgnM1xiNuGcmVYLPGT3MKqnGN8QTqP8zk8eape

Source

github.com/GageBachik/sour

Verification

github.com/GageBachik/sour-verification

Audit status

No third-party audit yet — see /audits

PGP

On request via email