The Decred project runs a bug bounty program which is approved by the stakeholders and is funded by the Decred treasury.

Please refer to the bounty website to understand the scope and how to submit a vulnerability.

https://bounty.decred.org/

dcrlnd is part of Decred's Bug Bounty Program on an experimental basis while we haven't yet deployed into mainnet.

Additionally, given the current nature of this work as a fork from the original lnd code, bugs that have been submitted to the upstream lnd project are not eligible for the bug bounty program unless the following points apply:

• The bug affects a mainnet worthy release of dcrlnd;
• The fix for the bug was not merged from the upstream repo while a substantial amount of upstream commits that are newer than the relevant one were merged;
• The bug is not critical to lnd but it is to dcrlnd.