Merum Docs
Security

Bug bounty

Report security vulnerabilities in Merum responsibly through the Immunefi bug bounty program.

Merum runs a bug bounty program to reward security researchers who responsibly disclose vulnerabilities. If you find a security issue, report it — do not exploit it.

How to report

  • Primary channel: the Merum bug bounty program on Immunefi. The program page lists in-scope assets, severity tiers, and reward amounts.
  • Direct contact: for urgent or sensitive reports, email security@merum.xyz. This address is also published in the site's security.txt per RFC 9116.

When reporting, include enough detail to reproduce the issue: affected contract or component, the conditions required, and the potential impact. A proof of concept on a testnet or a local fork is welcome; do not test against mainnet contracts with live user funds.

Scope and rewards

Reward amounts scale with the severity and impact of the vulnerability, with the highest rewards reserved for issues that could lead to a loss of user funds. The Immunefi program page is the authoritative source for current scope, severity classification, and reward figures.

Responsible disclosure

We ask researchers to:

  • Give us a reasonable window to investigate and remediate before any public disclosure.
  • Avoid privacy violations, data destruction, and any interruption of the protocol.
  • Not exploit a vulnerability beyond what is necessary to demonstrate it.

Acting in good faith under these guidelines, you will not be subject to legal action from Merum for your research. We are grateful to the researchers who help keep the protocol safe.

Audits

Merum's security audit program, including the Sherlock audit and how to access reports.

Incident response

How Merum responds to security incidents.

On this page

How to reportScope and rewardsResponsible disclosure