Skip to content

Add SECURITY.md with vulnerability disclosure policy #6

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ouwibo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SECURITY.md with vulnerability disclosure policy #6

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 64 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Security Policy

ATXP gives AI agents wallets, identities, and payment access. Because the SDK
touches funds and credentials, we take security reports seriously and want a
clear, private channel for researchers to use.

## Reporting a Vulnerability

**Please do not open public GitHub issues for security reports.**

Email security concerns to:

- `security@atxp.ai` (preferred, if available)
- `support@atxp.ai` (fallback)

Include:

1. A description of the issue and its impact.
2. Reproduction steps (proof-of-concept if possible).
3. The affected version, commit, or endpoint.
4. Your contact info and whether you want public credit.

If you don't get an acknowledgement within 5 business days, please ping again —
mail can get lost.

## Scope

In scope:

- This repository (`atxp-dev/atxp`) and the `atxp` npm package.
- The ATXP backend APIs and wallet handling reachable through the SDK or
`atxp.ai` / `accounts.atxp.ai`.
- Authentication, payment routing, and wallet custody flows.

Out of scope:

- Third-party MCP servers reached through ATXP tools.
- Issues that require physical access to a user's machine.
- Reports of missing best-practice headers without a demonstrated impact.
- Social engineering of ATXP staff.

## Coordinated Disclosure

We ask researchers to give us a reasonable window — typically up to 90 days —
to investigate and ship a fix before public disclosure. If the issue is being
actively exploited, we'll move faster and coordinate with you on timing.

## Recognition

With your permission, we'll credit you in release notes or a published advisory
once a fix has shipped. ATXP does not currently run a paid bug bounty program;
if that changes, this document will be updated.

## Safe Harbor

We will not pursue legal action against researchers who:

- Make a good-faith effort to follow this policy.
- Avoid privacy violations, data destruction, or service degradation.
- Report findings promptly and privately.
- Do not exploit findings beyond what's necessary to demonstrate the issue.

If you're unsure whether something is in scope or safe to test, ask first via
the email above.