Home / Privacy Policy

Privacy Policy

This Privacy Policy explains how Bastion collects, uses, stores, and protects information related to accounts, wallets, projects, reports, and researcher activity.

Last updated: June 6, 2026

1. Overview

Bastion (bastion.report) collects information needed to operate a Web3 security coordination platform. This includes account information, wallet addresses, project information, researcher profile information, vulnerability reports, communication records, and activity metadata.

This Privacy Policy describes what we collect, how we use it, and the choices available to users of the platform.

2. Information We Collect

Depending on how you use Bastion, we may collect:

  • Wallet addresses
  • Usernames and display names
  • Profile bios
  • Avatar URLs
  • Contact email if you provide one
  • Social links such as GitHub, X/Twitter, and websites
  • Researcher specializations and profile metadata
  • Project names, descriptions, websites, and ecosystems
  • Security readiness and passport information
  • Bounty and launch readiness program information
  • Report submissions, messages, statuses, and attachments
  • Reputation metrics, verification status, and activity history
  • Payout, subscription, or escrow metadata where applicable
  • Technical information such as logs, device and browser metadata, session data, and security events

3. Wallet Addresses and Authentication

Bastion may use wallet signatures to authenticate users. Wallet addresses may be displayed publicly on profiles, reports, or activity records where the platform design requires it. Wallet signatures are used to verify account control at sign-in.

Bastion does not ask for private keys or seed phrases. You should never share private keys, seed phrases, or wallet credentials with Bastion or any third party claiming to represent Bastion.

4. Profile Information

Researcher profiles and Project Passports may include public information visible to other users and visitors. Public information may include username, display name, bio, avatar, social links, specializations, ecosystem activity, reputation score, verification tier, accepted findings, and public project security information.

Private fields and sensitive workspace data are shown only to authorized users according to platform permissions and program settings.

5. Reports and Communications

Vulnerability reports may contain sensitive technical information. Reports are generally private between researchers, authorized project team members, and authorized Bastion roles unless disclosure is explicitly authorized by the project or applicable workflow.

Bastion may process report content, messages, statuses, attachments, severity labels, review outcomes, and related metadata to operate disclosure workflows, reputation tracking, notifications, and dispute handling.

6. Project Information

Projects may publish public security posture information, including:

  • Project name and ecosystem
  • Website and public contact signals
  • Security contact and disclosure policy status
  • Active bounty or launch readiness program status
  • In-scope assets and technology stack where provided
  • Security readiness signals and passport metadata

Projects are responsible for the accuracy of the information they submit and publish on Bastion.

7. How We Use Information

We use collected information to:

  • Authenticate users and maintain sessions
  • Operate researcher and project workspaces
  • Display public researcher and project profiles
  • Process and route vulnerability reports
  • Track reputation, verification, and program participation
  • Manage bounty and launch readiness programs
  • Improve platform security and reliability
  • Detect, investigate, and prevent abuse
  • Provide support and operational communications
  • Maintain audit and activity history where needed

We do not sell personal data.

8. Third-Party Services

Bastion may use third-party infrastructure and tools to operate the platform, including database hosting, authentication helpers, wallet connection libraries, blockchain RPC providers, hosting providers, payment processors, analytics, and communication services.

For example, Bastion may use Supabase for database and storage infrastructure, and wallet providers or libraries to enable wallet connection and signature verification. These providers process data according to their own terms and policies, and only as needed to support platform operations.

9. Security

Bastion uses technical and organizational measures designed to protect information, including access controls, encryption for sensitive report content where implemented, and monitoring for suspicious activity.

No system is perfectly secure. Users should protect wallets, devices, and credentials. Sensitive vulnerability information should be submitted only through authorized Bastion workflows.

10. Data Retention

Bastion may retain account, report, project, reputation, and activity data as needed to operate the platform, maintain security history, resolve disputes, comply with legal obligations, and prevent abuse.

Users may request deletion or updates where supported by the platform. Some records may need to be retained for security, audit, dispute, or legal purposes even after an account stops using Bastion.

11. Your Choices

You may:

  • Update profile information in your account settings
  • Disconnect or update social links where supported
  • Choose what information to publish in public profiles, subject to platform and program requirements
  • Stop using the platform at any time

12. Children's Privacy

Bastion is not intended for children. We do not knowingly collect personal information from children. If you believe a child has provided information to Bastion, contact us through the methods provided on the platform.

13. Changes to Policy

Bastion may update this Privacy Policy from time to time. We will update the “Last updated” date when changes are posted. Continued use of Bastion after changes become effective means you accept the updated Privacy Policy.

14. Contact

For privacy questions, contact the Bastion team through the contact methods provided on the platform.