Skip to main content
If you have found a security vulnerability in Archr, report it privately. Do not open a public GitHub issue and do not post details in a public reply to @archrdeploy — public disclosure of an unpatched flaw puts every launcher and holder at risk.

How to report

DM @archrdeploy on X to open a private line and wait for an operator to move the conversation to DMs before sharing details or a proof of concept. Do not post vulnerability details in public tweets or replies, and do not open a GitHub issue. Please give the team a reasonable window to investigate and ship a fix before disclosing the issue anywhere publicly.

Scope

In scope: Out of scope: third-party infrastructure, dependencies, and services Archr does not operate (Robinhood Chain itself, Uniswap V3, Chainlink feeds, Vercel, wallet extensions, RPC providers); denial-of-service against public endpoints; and findings that require physical access to a user’s device or social engineering of unrelated individuals.

Good-faith safe harbor

We will not pursue or support legal action against researchers who, in good faith:
  • Report a vulnerability through the private channel above.
  • Avoid privacy violations, data destruction, and any disruption to launched coins, LP positions, or other users.
  • Give the team a reasonable opportunity to remediate before any public disclosure.
Testing should never put other users’ funds or positions at risk. If in doubt about whether an action is in scope, ask first.