Responsible disclosure, PG[Σ] by default.
If you've found a vulnerability in the L3RS-1 reference implementation, the Flow router, or any T3RRA-operated infrastructure, we want to hear from you.
T3RRA publishes security contact information at /.well-known/security.txt. PGP key forthcoming. Until then, coordinate responsible disclosure through security@t3rra.co.
In scope.
L3RS-1 reference implementation
On the eight launch chains: Ethereum, Solana, Base, Arbitrum, Polygon, BNB Chain, Avalanche, Stellar.
Flow cross-chain router
Bridge committee attestation and route certificate generation.
T3RRA web properties
t3rra.co and all subdomains operated by T3RRA.
Out of scope.
- Third-party chains themselves.
- Social engineering of T3RRA personnel or partners.
- Denial-of-service without a working proof of exploitable impact.
- Findings already documented in a published audit report.
What you can expect.
Triaged within 2 business days.
You get a human response, not an auto-ack.
Credit where credit is due.
Researchers are acknowledged on this page (opt-in).
No legal action against good-faith research.
Safe harbor language below.
Safe harbor
T3RRA will not pursue civil or criminal action against researchers who act in good faith, stay within the scope above, avoid privacy violations and service degradation, and give us a reasonable window to remediate before public disclosure.
Researchers who helped.
We'll list researchers here as disclosures are resolved. Be the first.
A machine-readable version of this policy is published at /.well-known/security.txt. PGP key forthcoming. Until then, coordinate responsible disclosure through security@t3rra.co.
Last updated: June 2026.