Bron never holds or controls user private keys, funds, or assets. All transactions are user-initiated and executed directly with third-party smart-contract protocols. Swap and staking functions are performed via independent third-party APIs. Bron only provides technical access and does not pool, intermediate, or custody user assets.
Library Overview
bron-crypto is an open source MPC (Multi-Party Computation) cryptography library that implements threshold signature schemes. This library is part of the Bron wallet infrastructure and is licensed under Apache License 2.0.
Repository: github.com/bronlabs/bron-crypto
Security Policy: View Security Policy
For detailed information about scope and experimental features, please refer to the SECURITY.md file in the repository. All reports must be submitted via email to [email protected].
Reward Calculation
Rewards are calculated based on the CVSS v4.0 Base score when applicable. Use the official calculator: https://www.first.org/cvss/calculator/4-0
Every accepted bounty submission entitles the researcher to a non-transferable Bron NFT in addition to the monetary reward listed below. The NFT grants a complimentary Basic tier subscription for 2026 (or an upgrade to the next tier if Basic is already active, capped at Enterprise). To receive any reward, a Bron wallet is required — bounty payments are distributed in stablecoins to the researcher's Bron wallet address.
| Severity Level | CVSS v4.0 Score | Reward Range (USD) |
|---|---|---|
| Low | 0.1 — 3.9 | $100 — $500 |
| Medium | 4.0 — 6.9 | $500 — $5,000 |
| High | 7.0 — 8.9 | $5,000 — $10,000 |
| Critical | 9.0 — 9.4 | $10,000 — $20,000 |
| Exceptional | 9.5 — 10.0 | more than $20,000 |
If a vulnerability is complex or cannot be properly assessed using CVSS v4.0 metrics, the reward assessment will be conducted individually based on expert evaluation by the core development team.
Cryptographic vulnerabilities in MPC libraries often involve complex interactions between mathematical primitives, protocol implementations, and security properties that may not map cleanly to standard CVSS scoring. In such cases, our security team will evaluate the vulnerability based on:
- Potential impact on threshold signature security
- Exploitation complexity and feasibility
- Affected components and their criticality
- Business and security context
- Novelty and research value of the finding
The final reward amount will be determined through careful expert analysis, ensuring fair compensation for valuable security research while maintaining consistency with our overall bug bounty program structure.
If the PoC demonstrates direct impact on threshold signature security, key generation flaws, or protocol-level vulnerabilities, our security team may apply an increased reward within the specified ranges.
All bounty payments are made in USD-denominated stablecoins to the researcher's Bron wallet address and are subject to sanctions screening and anti-money-laundering controls consistent with Bron's compliance policy. Rewards cannot be paid to individuals or entities on applicable sanctions lists.
Scope Information
The bug bounty program covers security vulnerabilities in threshold signature schemes and their direct or indirect dependencies. For additional scope details, see the SECURITY.md file in the repository.
- In Scope: Threshold signature schemes and their direct or indirect dependencies, cryptographic implementation flaws, memory safety issues, logic errors in threshold signature schemes, issues in key generation/signing/verification protocols, vulnerabilities in BoringSSL integration
- Out of Scope: Side-channel vulnerabilities (timing attacks, etc.), experimental features that are not dependencies of threshold signature schemes, vulnerabilities in third-party dependencies (unless they create bron-crypto-specific security issues), availability and denial-of-service findings (including Go panic/crash bugs triggered by malformed input — the MPC library threat model assumes authenticated participants and focuses on confidentiality and integrity of threshold signatures; process crashes are expected boundary conditions in the no-honest-majority setting)
How to Report
All vulnerability reports for the MPC library must be submitted via email:
- Email: [email protected] — Please use the Vulnerability Report Template
GitHub Security Advisories are no longer accepted as a submission channel. All reports must go through email.