SnapKitty Sovereign OS runs on bare metal with a cryptographic WORM chain, Ed25519 agent signing, and HMAC-SHA256 sealed decisions. Security is architectural — not a layer on top.
If you find a way through, we want to know.
This project does not use version numbers in the traditional sense. The main branch is always the supported version. Anything else is unsupported.
| Branch | Supported |
|---|---|
main |
✅ |
| Any other | ❌ |
Do not open a public GitHub issue. That exposes the vulnerability before it's patched.
Option 1 — GitHub Private Advisory (preferred) GitHub → Security tab → Advisories → New draft security advisory Only visible to you and the maintainers until patched and disclosed.
Option 2 — Direct email
jessica@snapkitty.com — Subject: SECURITY: [brief description]
- Description of the vulnerability
- Steps to reproduce
- Which layer is affected (Next.js API, Rust core, agent bodies, WORM chain, Discord bot, contracts)
- Potential impact
- Your contact info for follow-up
| Step | Timeline |
|---|---|
| Acknowledgement | Within 24 hours |
| Initial assessment | Within 48 hours |
| Patch (if accepted) | Prioritized immediately |
| Public disclosure | After patch is live |
In scope:
- Authentication and session handling (
lib/auth/) - Agent decision signing and WORM chain integrity
- API routes that handle financial data
- The FORGEART contract (
contracts/) - Discord bot command injection
- Cryptographic sealing (
lib/crypto-vault.ts)
Out of scope:
- The honeypot endpoints (
/api/language/interpret) — these are intentionally deceptive - Theoretical attacks with no practical exploit path
- Social engineering
Reports are taken seriously. We do not pursue legal action against researchers who disclose responsibly. We will credit you in the patch notes unless you request anonymity.
The WORM chain means every security event is permanently recorded. That cuts both ways — we can't hide incidents, and neither can attackers.
Copyright (c) 2026 SNAPKITTYWEST · FSL-1.1