Responsible Disclosure

HeliumDesktop welcomes responsible security reports from independent researchers, users, and ecosystem contributors. This policy applies to vulnerabilities relating to the website, downloads, release verification mechanisms, documentation, and the desktop wallet software itself.

We believe that private disclosure is the safest path forward. It ensures issues can be thoroughly assessed, patched, and distributed to the community before broad publication.

All security reports should be submitted privately through our designated security contact channel. Please do not open public GitHub issues, post on Discord, or tweet about the vulnerability before it has been acknowledged and resolved.

Encouraging private reports helps us protect end-users from opportunistic exploitation while we work diligently to resolve the underlying concern.

Please send all security-related communications directly to our security team. For sensitive vulnerabilities, we highly recommend encrypting your communication using our PGP key.

To help us triage and verify your report efficiently, please include the following information in your initial communication:

We are primarily interested in practical vulnerabilities that represent a tangible risk to our users. Examples of in-scope issues include:

• Distribution Security: Installer tampering concerns, checksum or signature verification failures, or release artifact trust issues.
• Wallet Integrity: Security-impacting bugs in local wallet operations, key generation, or transaction signing flows.
• Deceptive UI: Misleading user interfaces that could lead a user to perform unsafe signing behaviors or expose private data.
• Data Exposure: Unintended local or remote exposure of sensitive data (like unencrypted keys resting in predictable directories).
• Web Infrastructure: Vulnerabilities in the official website that could compromise release trust, domain control, or site security.

To ensure our team can focus on critical security threats, the following categories are generally considered out of scope for this disclosure process:

• General support requests or routine bug reports (e.g., wallet sync issues).
• Feature requests or UI/UX improvements lacking a distinct security impact.
• Issues relating to third-party services, RPC nodes, or external dependencies outside our direct control.
• Attacks requiring unrealistic levels of user interaction or physical access to an unlocked device.
• Reports generated by automated scanning tools without manual validation or a clear exploit path.

When conducting vulnerability research, we ask that you adhere strictly to the following principles:

• Act in good faith to discover and report vulnerabilities responsibly.
• Avoid any actions that could result in privacy violations, data destruction, or interruption of services (e.g., DoS/DDoS attacks).
• Do not exploit a vulnerability beyond what is strictly necessary to demonstrate the issue.
• Do not access, modify, or interact with other users' funds, private keys, or personal data under any circumstances.

In response to a good-faith report submitted in accordance with this policy, the project team aims to:

• Acknowledge receipt of valid reports in a timely manner.
• Review the submitted information and provide an initial assessment of the issue.
• Maintain open communication regarding the validation and remediation process.
• Remediate confirmed security vulnerabilities when technically feasible and appropriate.
• Coordinate public disclosure timing responsibly, factoring in user safety.

If a report is validated and requires a fix, the project will work with the reporter to establish a coordinated disclosure timeline. The exact timing of disclosure will depend on the severity of the vulnerability, the potential risk to users, and the required progress for implementing and distributing a patch.

We ask that researchers refrain from discussing or publishing details about the vulnerability until the coordinated embargo period has concluded and an official advisory has been published or authorized.

Please note that this safe harbor applies only to legal claims under the project's direct control. We cannot authorize research on third-party infrastructure or exempt researchers from independent third-party claims.

At this time, HeliumDesktop does not operate a formal, public bug bounty program with guaranteed financial payouts. All security reports are treated as voluntary contributions to open-source and community security.

Recognition, formal public credit in release notes, or other follow-up measures may be provided entirely at the project’s discretion for exceptionally high-impact, coordinated disclosures.

To submit a report, or if you have questions regarding the scope of this policy, please reach out via our primary security channel: