Skip to content

Security: IvanDeepVerify/botprotocol

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Security is critical for an identity and delegation protocol. We take all reports seriously.

How to report

Do not open public issues for security vulnerabilities.

Email security reports to: security@botprotocol.io

If possible, encrypt your report with our PGP key (publish key fingerprint here when generated).

What to include

A useful security report includes:

  1. Type of issue — cryptographic flaw, protocol logic flaw, implementation bug, etc.
  2. Affected component — specification section, reference implementation, etc.
  3. Reproduction steps — if applicable
  4. Impact assessment — what an attacker could achieve
  5. Suggested mitigation — if you have ideas

What to expect

  • Acknowledgment within 72 hours
  • Initial assessment within 7 days
  • Status update every 14 days until resolution
  • Coordinated disclosure — we will work with you on disclosure timing

Disclosure policy

We follow coordinated disclosure:

  1. Report received privately
  2. We confirm and assess the issue
  3. We develop a fix or specification update
  4. We notify pilot implementations privately
  5. Public disclosure after fix is available, typically 60-90 days from initial report

We credit reporters in public advisories unless they prefer to remain anonymous.

Out of scope

The following are out of scope for security reports:

  • Issues in dependencies (report to those projects)
  • Issues in implementations not maintained by this project
  • Theoretical attacks without a concrete exploitation path
  • Social engineering attacks against contributors

Threat model

The current threat model is documented in spec/02-threat-model.md. When reporting, indicate whether your finding fits an existing threat or represents a new class.

Bug bounty

There is no formal bug bounty at this stage. As the protocol matures, a bounty program may be established.

There aren't any published security advisories