sign in
6 protocols · 1 family
§ security

Vulnerability disclosure

The OrangeCheck ecosystem takes security seriously. Here's how to report a vulnerability, what's in scope, and what to expect from us.

// looking for the threat model — what each protocol does and doesn't protect against? docs.ochk.io/ecosystem/security. This page is for reporting vulnerabilities.

how to report

!! Don't open public GitHub issues for exploitable bugs. Public disclosure before a fix ships puts everyone using the protocol at risk.

Email security@ochk.io — use PGP for highly sensitive findings; the fingerprint and key are published at github.com/orangecheck/.github/SECURITY.md. Alternatively, open a private GitHub security advisory on the most relevant orangecheck/* repository.

  • acknowledgementwithin 72 hours of receipt
  • triagewithin 7 days — whether we agree it is a vulnerability, the severity assigned, and a target fix date
  • coordinated disclosurewe credit you (unless you prefer anonymity) and publish an advisory once the fix ships
  • bountyno paid bounty program yet — the ecosystem is young; we are grateful for responsible disclosure

what's in scope

  • Spec-level vulnerabilities in any oc-*-protocol repo — canonical-message ambiguities, signature-replay paths, weight-mode collusion, anchor-verification holes.
  • Implementation bugs in any @orangecheck/* npm package or the Python SDK.
  • Hosted-service bugs on any ochk.io site — auth flaws, session bugs, SSRF / CSRF / XSS, rate-limit bypasses, secret leakage.
  • Cryptographic bugs in the BIP-322 / X25519 / AES-GCM / OpenTimestamps code paths, even under non-standard inputs.

Out of scope: chain analysis on published proofs (that is the threat model, not a bug); social engineering against operators; volumetric denial-of-service on hosted endpoints.

// thank you for taking the time to make the ecosystem safer.