The team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose any vulnerabilities you find.

Please do NOT report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: Send details to [email protected]
2. GitHub Security Advisories: Use the private vulnerability reporting feature

When reporting a vulnerability, please include:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit the issue

• Initial Response: We will acknowledge receipt of your vulnerability report within 48 hours
• Investigation: We will investigate and validate the vulnerability within 7 days
• Resolution: We will work on a fix and provide updates on our progress
• Disclosure: We will coordinate with you on the disclosure timeline

We believe in responsible disclosure and ask that you:

• Give us reasonable time to investigate and fix the issue before public disclosure
• Do not access, modify, or delete data that doesn't belong to you
• Do not perform any actions that could negatively impact other users
• Do not publicly disclose the vulnerability until we have addressed it

protocol implements several security measures:

• Code Audits: Regular security audits of critical components
• Dependency Scanning: Automated scanning for known vulnerabilities in dependencies
• Static Analysis: Continuous static code analysis for security issues
• Access Controls: Strict access controls for critical infrastructure
• Encryption: All sensitive data is encrypted at rest and in transit

We will publish security advisories for any vulnerabilities that could affect users:

• GitHub Security Advisories: Published on our GitHub repository
• Community Channels: Announced in our Discord and Telegram channels
• Documentation: Updated security guidance in our documentation

We are planning to launch a bug bounty program to reward security researchers who help us identify vulnerabilities. Details will be announced soon.

For security-related questions or concerns:

• Email: [email protected]
• PGP Key: Available here (Coming Soon)

We will not pursue legal action against security researchers who:

• Follow this responsible disclosure process
• Act in good faith
• Do not violate any laws
• Do not access or modify data beyond what is necessary to demonstrate the vulnerability

Thank you for helping us keep Mitosis secure! 🔒