Responsible disclosure, bug bounty, and vulnerability policy.
For sensitive disclosures, use GitHub Security Advisories — this provides an encrypted, private channel directly to the team.
For general security questions: [email protected]
We prefer responsible disclosure. Please give us a reasonable window to investigate and patch before any public disclosure.
Scope, disclosure timeline, and out-of-scope items are documented in the full policy.
An Immunefi bug bounty program is planned for May 2026, covering the AP2-PQ Worker, SpendEnvelopeRegistry contract, and core SDK packages.
Until then, we acknowledge all valid critical reports in our Hall of Fame.
/.well-known/security.txt
— RFC 9116 compliant disclosure policy.