Security Policy

Scope

If you find a security issue in any asset below, we want to hear from you.

In scope

• Vault smart contracts — AspeLabsVault, AspeLabsRouter, AspeTimelockControllerV2 deployed on HyperEVM. See self-audit report for addresses and commit hash.
• Audit artefacts — content served from aspelabs.xyz/audit/, including the public self-audit report v3.0 (PDF + MD), external-hacks.json, and the archived v2.0 artefacts.
• Landing infrastructure — aspelabs.xyz and subdomains, DNS configuration, email infrastructure.
• Operational op-sec — credential handling, secret storage, release process (not the operator's personal devices).

Out of scope

• Attacks requiring compromise of the reporter's own device or account.
• Social engineering of ASPE Labs personnel or service providers.
• Denial-of-service attacks against the landing page or RPC endpoints.
• Third-party services not under our control (Hyperliquid exchange, HyperEVM L1, 1984 Hosting panel, GitHub itself).
• Reports based on automated scanner output without a concrete exploit path.
• Trading strategy logic — proprietary, lives in a separate private repository.

How to report

Pick the channel that fits the urgency of the issue.

What to include

• Short title + one-paragraph summary of the issue.
• Affected asset (contract address, URL, commit SHA).
• Reproduction steps or proof-of-concept transaction / payload.
• Impact analysis — what can an attacker do, and under what preconditions.
• Suggested remediation if you have one (optional but appreciated).
• Your preferred contact handle and whether you want public credit.

What we commit to

• Acknowledgement within 48 h of report receipt on a best-effort basis.
• Initial triage within 7 days — we tell you if it is in scope, the severity we assign, and the expected remediation window.
• No legal action for research conducted in good faith within the scope above. See the Safe Harbor section below.
• Credit on the acknowledgements list (see end of page) if you want it.

Safe harbor

ASPE Labs will not initiate legal action against researchers who operate in good faith under the terms below.

• Stay within the In scope list above.
• Do not exfiltrate, modify, or destroy data beyond what is needed to demonstrate the vulnerability.
• Do not degrade the availability of the service (no DoS testing, no mass-scanning that impacts availability).
• Give us a reasonable remediation window before public disclosure — typically 90 days for Low / Medium, 30 days or coordinated for High / Critical. We can move faster if the issue is under active exploitation.
• If a test may affect user funds (Phase 0 is operator's own capital only — see Phase 0 disclaimer), coordinate with us before executing.

Formal participation in the SEAL Safe Harbor framework is planned for Phase 1, once the legal entity is formed. Until then, this page is our Safe Harbor declaration in good faith.

Rewards

ASPE Labs is a side-project in Phase 0 with no external capital and no operating budget for a formal bug bounty.

• Acknowledgement on this page (your choice).
• Case-by-case payments from the operator's own resources for valid, impactful reports. We cannot commit a structured tier table yet; we will be explicit and fair when a report lands.
• Phase 1 bounty program is planned once the vault carries external capital and a legal entity exists. Structured tier table will be published on this page when live.

Self-audit context

The codebase has been self-audited by the ASPE Labs team following tier-1 methodology (Trail of Bits / OpenZeppelin / Spearbit / Cantina format). It is not a third-party formal audit — external audit is committed and will be contracted at one of three triggers (TVL ≥ $200K AUM sustained 30 days, protocol revenue covers cost, or six months post Phase 1 launch). ETA Q3 2026.

Acknowledgements

Researchers who have contributed to the security of ASPE Labs.

No external disclosures received yet. When we receive valid reports and you opt in to credit, your handle appears here with the date, asset, and severity.