Disclosure Policy

Do not disclose any bug or vulnerability on public forums, message boards, mailing lists, etc. prior to responsibly disclosing to Nighthawk Apps and giving sufficient time for the issue to be fixed and deployed. Do not execute on or exploit any vulnerability.

Reporting a Bug or Vulnerability

When reporting a bug or vulnerability, please provide the following to nighthawkwallet@protonmail.com

A short summary of the potential impact of the issue (if known). Details explaining how to reproduce the issue or how an exploit may be formed. Your name (optional). If provided, we will provide credit for disclosure. Otherwise, you will be treated anonymously and your privacy will be respected. Your email or other means of contacting you. A PGP key/fingerprint for us to provide encrypted responses to your disclosure. If this is not provided, we cannot guarantee that you will receive a response prior to a fix being made and deployed.

Encrypting the Disclosure

We highly encourage all disclosures to be encrypted to prevent interception and exploitation by third-parties prior to a fix being developed and deployed. Please encrypt using the PGP public key with fingerprint: 8c07e1261c5d9330287f4ec35aff0fd018b01972


There are some known areas for improvement:

  • This app depends upon related libraries that it uses. There may be bugs.
  • The wallet only supports transactions between shielded Z-addresses, rendering it incompatible with wallets that cannot send to supported shielded pools.
  • Similar to other cryptocurrency wallets, traffic analysis can potentially compromise user privacy.
  • The wallet relies on the lightwalletd server to provide accurate transaction information, necessitating trust in the server.
  • This app has been developed and run exclusively on mainnet and may not function correctly on testnet.

For more information regarding the security and privacy limitations of the wallet, please refer to the Wallet App Threat Model.