§orangecheck
live · mainnet6 protocols · 1 family
bip-322 · sats × days
§ security

Vulnerability disclosure

The OrangeCheck ecosystem takes security seriously. Here's how to report a vulnerability, what's in scope, and what to expect from us.

// looking for the threat model — what each protocol does and doesn't protect against? docs.ochk.io/ecosystem/security. This page is for reporting vulnerabilities, not understanding the security posture.

Don't open public GitHub issues for exploitable bugs. Use the security advisories on the relevant repo (preferred), or email directly. Public disclosure of exploitable bugs before a fix is shipped puts everyone using the protocol at risk.
[01]how to report

We accept vulnerability reports through two channels. Either is fine; pick whichever is more convenient.

GitHub security advisories (preferred)

Each spec / impl repo has private security advisories enabled. Open one on the most relevant repo:

Email

Send to security@ochk.io. Use PGP if your finding is highly sensitive — fingerprint and key published at github.com/orangecheck/.github/SECURITY.md.

[02]what's in scope

Any of the following is in scope:

  • Spec-level vulnerabilities in any oc-*-protocol repo (canonical-message ambiguities, signature replay paths, weight-mode collusion, anchor-verification holes).
  • Implementation bugs in any reference impl: @orangecheck/sdk, @orangecheck/gate, @orangecheck/lock-*, @orangecheck/stamp-*, @orangecheck/vote-*, the Python orangecheck package.
  • Hosted-service bugs in ochk.io, attest.ochk.io, lock.ochk.io, stamp.ochk.io, docs.ochk.io — including auth flaws, session bugs, SSRF / CSRF / XSS, rate-limit bypasses, secret leakage.
  • Cryptographic bugs in the BIP-322 / X25519 / AES-GCM / OTS code paths even if they only manifest under non-standard inputs.

Out of scope: chain-analysis on published proofs (that's the threat model, not a bug); social-engineering attacks against ochk.io operators; DoS on hosted endpoints (we'll fix the rate-limiter, but it's not a CVE-class finding).

[03]what to expect
  • Acknowledgement within 72 hours of receipt.
  • Triage within 7 days — we'll tell you whether we agree it's a vulnerability, what severity we're assigning, and a target fix date.
  • Coordinated disclosure — we'll credit you (unless you prefer anonymity), publish a security advisory once the fix ships, and link to your write-up if you publish one.
  • No bounty program (yet). The OrangeCheck ecosystem is young; we are grateful for responsible disclosure and will be more grateful when we can pay for it.

// thank you for taking the time to make the ecosystem safer.