Skip to content
Aevum & Bond

Security policy

Responsible disclosure

Section titled “Responsible disclosure”

Report vulnerabilities privately to security@aevum.bond (forwarding to the project contact during Phase T).

PGP fingerprint: 3C54 6416 2E75 7B7B 4BDE 695F C6F6 C5FB 6E69 0373

Public key: aevum-bond-public.asc · Also available from keys.openpgp.org after upload.

Please do not open a public issue for suspected security flaws. We commit to:

  1. Acknowledge receipt within 48 hours.
  2. First triage and severity assessment within 7 days.
  3. Coordinated disclosure timeline agreed with the reporter; default embargo is 90 days from triage or upon patch release, whichever is sooner.
  4. Public credit in release notes and the security hall of fame (opt-in).

Supply chain

Section titled “Supply chain”
  • Rust crates gated by cargo-vet + cargo-deny in CI.
  • CycloneDX SBOM published with every tagged release starting at M1.
  • Firmware signing keys held offline; rotation policy documented in RFC-0007 (pending).

Bug bounty

Section titled “Bug bounty”

A public bug bounty opens with the M5 public testnet. Scope, rewards, and rules will be published at that time.