Reporting Issues

1. Bugs (non-security)

Open a GitHub issue on github.com/b3chain/b3chain/issues. Useful information:

• b3chain commit hash (git rev-parse HEAD)
• OS and version (uname -a)
• Build flags / cmake options used
• Steps to reproduce, including any audit-script command line
• Full debug.log from the affected node, or the audit script's complete output

2. Security disclosures

Email security@b3chain.org. Do not file a public issue for any of the following classes of bug:

• Consensus-affecting bugs (anything that could split the chain between honest nodes)
• Resource-exhaustion or remote-crash bugs in the P2P stack
• Wallet bugs that could leak keys or sign unintended outputs
• RPC bugs that bypass authentication or expose private data
• Any cryptographic weakness in the BLAKE3 PoW or our use of it

Encrypt with our PGP key if you handle the report at the OS level (key fingerprint published on the security page once available).

3. What to expect

• Acknowledgement within 72 hours from a human, not a bot.
• Triage decision within 7 days: accept, request more info, or decline (with reason).
• Fix timeline for accepted reports: best-effort; consensus bugs are top priority and usually patched within days.
• Coordinated disclosure. We aim to publish a fix and a public CVE-style advisory within 90 days of acknowledgement, with the reporter credited (unless anonymity is requested).

4. Bounty

There is no formal bounty programme yet. We will publicly acknowledge every reporter who follows the disclosure rules above and (eventually) pay bounties scaled to severity once a treasury exists. Do not expect a payout today; do expect credit and respect.

5. Out of scope

• Phishing — we cannot stop people building lookalike sites. See the identity & impersonation section.
• Pre-launch token claims — there is no token, full stop. Anyone selling B3C is selling nothing.
• Bugs in upstream Bitcoin Core that we have not modified — please report those directly to the Bitcoin Core security process.

6. Contact summary