T3RRA
Security

Responsible disclosure, PG[Σ] by default.

If you've found a vulnerability in the L3RS-1 reference implementation, the Flow router, or any T3RRA-operated infrastructure, we want to hear from you.

T3RRA publishes security contact information at /.well-known/security.txt. PGP key forthcoming. Until then, coordinate responsible disclosure through security@t3rra.co.

Scope

In scope.

L3RS-1 reference implementation

On the eight launch chains: Ethereum, Solana, Base, Arbitrum, Polygon, BNB Chain, Avalanche, Stellar.

Flow cross-chain router

Bridge committee attestation and route certificate generation.

T3RRA web properties

t3rra.co and all subdomains operated by T3RRA.

Out of scope.

  • Third-party chains themselves.
  • Social engineering of T3RRA personnel or partners.
  • Denial-of-service without a working proof of exploitable impact.
  • Findings already documented in a published audit report.
Our Commitments

What you can expect.

Triaged within 2 business days.

You get a human response, not an auto-ack.

Credit where credit is due.

Researchers are acknowledged on this page (opt-in).

No legal action against good-faith research.

Safe harbor language below.

Safe harbor

T3RRA will not pursue civil or criminal action against researchers who act in good faith, stay within the scope above, avoid privacy violations and service degradation, and give us a reasonable window to remediate before public disclosure.
Hall of Thanks

Researchers who helped.

We'll list researchers here as disclosures are resolved. Be the first.

A machine-readable version of this policy is published at /.well-known/security.txt. PGP key forthcoming. Until then, coordinate responsible disclosure through security@t3rra.co.

Last updated: June 2026.