Disclosure Policy
CanonicalPurpose
This document defines the draft responsible disclosure boundary for Axodus security issues. It is not a public bug bounty program, legal commitment, audit statement, or production incident response policy.
Disclosure Status
Responsible disclosure handling is planned and requires coordinator and security approval before it can be treated as an official public process.
Until an approved contact and process exist:
- do not publish a bug bounty amount;
- do not promise response times;
- do not claim audit coverage;
- do not provide exploit reproduction steps publicly;
- do not expose private keys, credentials, endpoints, wallet procedures, or infrastructure details;
- route sensitive findings through the approved coordinator/security channel when one is documented.
Current Contact
Security contact:
Pending coordinator/security approval
REQ-07 does not create a public intake address. A future security/publication request must confirm the official contact before publication.
Guardrails
Do not publish fake emails, bug bounty claims, audit claims, or legal commitments.
Reporter Guidance
Reports should be handled conservatively and should include only safe metadata unless an approved private intake process exists:
- affected area or product;
- non-sensitive description;
- severity estimate;
- reproduction summary without secrets;
- safe screenshots or logs with sensitive values removed;
- contact path once approved.
Do not include seed phrases, private keys, bearer tokens, API keys, passwords, production RPC secrets, wallet signing instructions, or exploitable operational details in public documentation.
Review Requirements
Publication of this page requires:
- Security review;
- Coordinator approval;
- legal/compliance review if bounty, liability, or reporting commitments are added;
- confirmation that the contact path is active and monitored.
