From e90bc5992b17c5f08888bf030bce53b47aa80c88 Mon Sep 17 00:00:00 2001
From: Aly <16789036+aly-obol@users.noreply.github.com>
Date: Wed, 22 Apr 2026 22:55:39 -0400
Subject: [PATCH] Include Obol SDK and API in the bug bounty program, exclude
 alpha commands

---
 docs/adv/security/bug-bounty.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/docs/adv/security/bug-bounty.md b/docs/adv/security/bug-bounty.md
index accdc2d72e..b2cde976a8 100644
--- a/docs/adv/security/bug-bounty.md
+++ b/docs/adv/security/bug-bounty.md
@@ -24,9 +24,14 @@ Eligible submissions must involve software and services developed by Obol, speci
 
 - Charon the DV Middleware Client
 - Obol DV Launchpad and Public API
+- Obol SDK and APIs
 - Obol Splits Contracts
 - Obol Labs hosted Public Relay Infrastructure
 
+:::note
+Vulnerabilities found in Charon code under the `alpha` subcommand may be down-weighted in severity, as these features are not recommended for production use.
+:::
+
 Submissions related to the following are considered out of scope:
 
 - Social engineering