Vulnerability disclosure

Responsible security reporting for the public beta.

This page sets the public reporting rules for the current beta. Formal bounty scope is still pending, but a monitored reporting contact is now published.

Return Home Security Verification status

Safe harbor intent

Report issues without harming users, funds, systems, or data.

Allowed research

Good-faith review of public pages, headers, route behavior, wallet prompts, and published contracts.

Not allowed

No denial of service, social engineering, phishing, data exfiltration, fund movement, or destructive testing.

Evidence

Reports should include the route, reproducible steps, impact, and screenshots or logs where safe.

Current status

Monitored security reporting is published for the public beta.

Bug bountyNot claimed until a public bounty page is linked.
Security contactops@atomic-a-i.cloud (monitored for security reports)
Response targetAcknowledgement target: within 72 hours for good-faith reports. Critical issues should be triaged before public disclosure.
Disclosure ruleDo not publish exploit details before the operator has had a reasonable chance to respond and mitigation has begun.
Safe harborGood-faith testing within the published rules is intended to support remediation, not punitive action, provided it avoids privacy harm, fund movement, destructive traffic, or persistence.
PGP keyNo public PGP key is published at this time.