Bron never holds or controls user private keys, funds, or assets. All transactions are user-initiated and executed directly with third-party smart-contract protocols. Swap and staking functions are performed via independent third-party APIs. Bron only provides technical access and does not pool, intermediate, or custody user assets.
Vulnerability Report Template
Use the following template when submitting a report to [email protected]
Email Subject:
[Bron VDP] VDP: <Brief vulnerability name> — <domain/product>
Email Body:
Product/Domain: <e.g.: api.bron.xyz / web.bron.org / mobile-ios>
Version/Build: <version number, build, date>
Vulnerability Class: <OWASP/CWE>
Brief Description (2-3 sentences):
<what happens and why it's bad>
Reproduction Steps (step-by-step, numbered list):
1) Open https://...
2) Execute POST /api/...
3) Response: ...
Request/Response texts (full HTTP requests and responses):
<full request and response texts, including headers;
use curl / raw HTTP format or attach .txt files>
Timestamp (date and time of testing):
<date and time of test execution, e.g.: 2025-10-24 14:32:15 UTC>
Exploit code / link:
<exploit code (Python, JavaScript, Bash, etc.) or link to GitHub Gist
to simplify reproduction; optional but recommended>
Expected / Actual Behavior:
• Expected:
Describe how the system should behave in the correct scenario
(e.g., "After submitting correct credentials, the token is tied to the user's
account and does not provide access to other users' data").
• Actual:
Describe what you actually observe
(e.g., "When sending X, the token is issued with administrator rights
and allows reading other users' profiles").
Impact / Business Risks:
<briefly: what data/functions may be compromised,
possibility of fund theft, PII, etc.>
CVSS v4.0 (Base vector):
<optional; we recommend using the calculator
https://www.first.org/cvss/calculator/4-0>
Remediation recommendations (optional, but encouraged):
<if you understand how to fix the vulnerability — provide recommendations with code examples or specific mitigation strategies;
not mandatory, but reports with detailed remediation may receive up to 10% bonus reward>
PoC / Proof files:
<attachments: screenshots, requests/responses, curl commands, minimal exploit scripts;
make sure to hash files (SHA256) and include the hash in the email>
Test Account / Data Used:
<specify logins/passwords, device id, etc.>
Reporter Contact:
<name/alias, e-mail, timezone>
Bron Wallet Address:
<your Bron wallet address for reward distribution>
I agree to comply with the Responsible Vulnerability Disclosure Policy of Bron Foundation.
Incomplete reports may result in reduced rewards. If essential components (reproduction steps, request/response data, timestamps, or PoC) are missing or insufficient, the reward amount may be decreased at the discretion of our security team.
Conversely, well-documented reports with additional impact analysis, refined exploitation vectors, or comprehensive PoC may receive increased rewards.
💡 Bonus Opportunity: Reports including detailed remediation recommendations with code examples or specific mitigation strategies may receive up to 10% bonus reward.