Skip to content

Disclosure Policy

Canonical

Purpose

This document defines the draft responsible disclosure boundary for Axodus security issues. It is not a public bug bounty program, legal commitment, audit statement, or production incident response policy.

Disclosure Status

Responsible disclosure handling is planned and requires coordinator and security approval before it can be treated as an official public process.

Until an approved contact and process exist:

  • do not publish a bug bounty amount;
  • do not promise response times;
  • do not claim audit coverage;
  • do not provide exploit reproduction steps publicly;
  • do not expose private keys, credentials, endpoints, wallet procedures, or infrastructure details;
  • route sensitive findings through the approved coordinator/security channel when one is documented.

Current Contact

Security contact:

Pending coordinator/security approval

REQ-07 does not create a public intake address. A future security/publication request must confirm the official contact before publication.

Guardrails

Do not publish fake emails, bug bounty claims, audit claims, or legal commitments.

Reporter Guidance

Reports should be handled conservatively and should include only safe metadata unless an approved private intake process exists:

  • affected area or product;
  • non-sensitive description;
  • severity estimate;
  • reproduction summary without secrets;
  • safe screenshots or logs with sensitive values removed;
  • contact path once approved.

Do not include seed phrases, private keys, bearer tokens, API keys, passwords, production RPC secrets, wallet signing instructions, or exploitable operational details in public documentation.

Review Requirements

Publication of this page requires:

  • Security review;
  • Coordinator approval;
  • legal/compliance review if bounty, liability, or reporting commitments are added;
  • confirmation that the contact path is active and monitored.

Released as living documentation for the Axodus ecosystem.