Bugs in monero-oxide which cause a downstream project to be at risk of loss of funds, impact users' privacy, risk a Denial of Service, or are similarly problematic issues, should be reported via monero-oxide's Bug Bounty Program. This bug bounty was generously sponsored by Power Up Privacy who directly handles payouts. Alternatively, for users without Immunefi accounts, security issues may be reported via GitHub, or as a manner of least preference, a maintainer (as listed in our Governance document) may be messaged over Matrix.

Public disclosure, such as opening a GitHub issue, is not responsible and MUST NOT be done. If you are struggling to make a disclosure, please ask for help to do so (even if in a GitHub issue, if necessary) without publishing any details about the intended disclosure (e.g. its estimated severity).

All affected projects should be privately disclosed to via their stated disclosure method (or any private means of communication upon lack of stated disclosure method).

All projects, including monero-oxide, should be informed of if multiple projects were disclosed to, without permission to make a public disclosure until all projects resolve the issue.

Bugs without a impact to the project's security, nor a reasonable consumer's security, should be reported via monero-oxide's GitHub issues. If you're unsure if a bug impacts security, or to what degree it does, it must be treated as having its highest potential severity.

Any bug within monero-oxide may be publicly disclosed three months after the date of its responsible disclosure to the monero-oxide project, regardless of its status. Prior to this deadline, any disclosed-to party may request an extension of up to 60 days. If the discloser agrees to that extension, they must notify all disclosed-to parties of the new timeline and all must honor it. If the discloser does not agree, they must explicitly inform the requester of their disagreement.