# Security & Audits > Markdown export of the Gearbox Protocol documentation page for agents and retrieval systems. Canonical page: https://docs.gearbox.finance/developers/res-security Source file: content/developers/res-security.mdx Section router: https://docs.gearbox.finance/developers/llms.txt Section full export: https://docs.gearbox.finance/developers/llms-full.txt Gearbox Protocol takes security seriously. The protocol has undergone multiple independent audits and maintains an active bug bounty program. ## Audit Reports Gearbox smart contracts have been audited by leading security firms. The following reports cover the core protocol and its extensions: | Auditor | Scope | Report | | --------------- | ------------------ | ------------------------------------------------------- | | ChainSecurity | Core V3 | [View Report](https://github.com/Gearbox-protocol/security/blob/main/audits/PLACEHOLDER) | | Consensys Diligence | Core V3 | [View Report](https://github.com/Gearbox-protocol/security/blob/main/audits/PLACEHOLDER) | | Sigma Prime | V3 Integrations | [View Report](https://github.com/Gearbox-protocol/security/blob/main/audits/PLACEHOLDER) | | ABDK | V3 Math Libraries | [View Report](https://github.com/Gearbox-protocol/security/blob/main/audits/PLACEHOLDER) | > Links above are placeholders. Visit the [Gearbox security repository](https://github.com/Gearbox-protocol/security) for the latest audit reports. *** ## Bug Bounty Program Gearbox maintains an active bug bounty program on **Immunefi**, one of the largest Web3 security platforms. - **Platform:** [Immunefi](https://immunefi.com/) - **Scope:** Smart contracts, protocol logic, and integrations - **Rewards:** Up to $1,000,000 for critical vulnerabilities (severity-dependent) If you discover a potential vulnerability, please report it through the Immunefi platform rather than public disclosure. Responsible disclosure is critical for protecting user funds. *** ## Bytecode Repository (BCR) Verification Gearbox uses a Bytecode Repository (BCR) to ensure that only audited, verified bytecode is deployed on-chain. This provides an additional layer of security beyond source-code audits by verifying the exact compiled output. For details on how BCR verification works and how to check deployed contracts, see [BCR Verification](https://docs.gearbox.finance/developers/gp-bcr). *** ## Security Contact For security-related inquiries that do not fall under the bug bounty program: - **Email:** security@gearbox.fi - **PGP Key:** Available on the [Gearbox security repository](https://github.com/Gearbox-protocol/security) Please do not report vulnerabilities via email. Use the Immunefi bug bounty program for all vulnerability disclosures. *** ## Security Practices The Gearbox Protocol follows several security best practices: - **Multiple independent audits** before each major release - **Formal verification** of critical mathematical components - **Timelocks and multisig governance** for parameter changes - **Immutable core logic** with upgradeable configuration - **On-chain BCR verification** ensuring only audited bytecode is deployed - **Continuous monitoring** of protocol health and anomalous activity