Security

Coordinated disclosure.

We treat security findings with priority and precision. Reports should reach us through the channels below, not through public social posts.

bug bounty in design — not yet active

Email

security@exochain.io (PGP key fingerprint published with v0.5)

Scope

The protocol, the reference Rust implementation, exo-gateway, and the public site under exochain.io. Out-of-scope: third-party deployments not operated by us.

What to include

Reproduction steps. The fewer assumptions, the better.
Suspected severity and rationale.
Intended disclosure timeline.
Your contact preference for follow-up.

What we'll do

Acknowledge within 3 business days.
Assign severity and CVE if applicable.
Coordinate disclosure date.
Credit reporters who request it.