If you discover a security vulnerability in ChainLens, do NOT open a public issue.

Instead, email: security@chainlens.fi

We will respond within 48 hours and work with you to understand and fix the issue before any public disclosure.

Security issues we care about:

• XSS vulnerabilities in the scanner output
• API response injection attacks
• Ways to manipulate scan results to show false safety
• Privacy leaks (data sent to unintended third parties)

Out of scope:

• Issues in third-party APIs (report to them directly)
• Rate limiting of public APIs (by design, client-side only)
• Social engineering attacks not related to the codebase

ChainLens is a client-side only application. There is no backend server, database, or user authentication. All API calls go directly from the user's browser to public data sources. This significantly limits the attack surface.