Security is critical for an identity and delegation protocol. We take all reports seriously.
Do not open public issues for security vulnerabilities.
Email security reports to: security@botprotocol.io
If possible, encrypt your report with our PGP key (publish key fingerprint here when generated).
A useful security report includes:
- Type of issue — cryptographic flaw, protocol logic flaw, implementation bug, etc.
- Affected component — specification section, reference implementation, etc.
- Reproduction steps — if applicable
- Impact assessment — what an attacker could achieve
- Suggested mitigation — if you have ideas
- Acknowledgment within 72 hours
- Initial assessment within 7 days
- Status update every 14 days until resolution
- Coordinated disclosure — we will work with you on disclosure timing
We follow coordinated disclosure:
- Report received privately
- We confirm and assess the issue
- We develop a fix or specification update
- We notify pilot implementations privately
- Public disclosure after fix is available, typically 60-90 days from initial report
We credit reporters in public advisories unless they prefer to remain anonymous.
The following are out of scope for security reports:
- Issues in dependencies (report to those projects)
- Issues in implementations not maintained by this project
- Theoretical attacks without a concrete exploitation path
- Social engineering attacks against contributors
The current threat model is documented in spec/02-threat-model.md. When reporting, indicate whether your finding fits an existing threat or represents a new class.
There is no formal bug bounty at this stage. As the protocol matures, a bounty program may be established.