Skip to content

Responsible Disclosure Policy

Guidelines for responsibly reporting security vulnerabilities in the Autheo network, protocol, smart contracts, and infrastructure.

Last Updated: March 26, 2026

I. Introduction

The Autheo Foundation ("Foundation," "we," "us," or "our") is committed to ensuring the security and integrity of the Autheo network, its protocols, and the broader ecosystem. We recognize that independent security researchers play a vital role in helping us identify and address vulnerabilities before they can be exploited.

We encourage responsible disclosure of security vulnerabilities and welcome reports from researchers, developers, and members of the community. This policy outlines the scope, process, and expectations for reporting security issues to the Foundation. If you believe you have discovered a vulnerability in any Autheo system, we ask that you follow this policy to report it responsibly so we can investigate and remediate it promptly.

II. Scope

This policy applies to vulnerabilities discovered in the following Autheo Foundation systems and components:

  • Core Protocol — The consensus engine, state machine, validator infrastructure, and all core blockchain logic powering the Autheo Layer-0 and Layer-1 network.
  • Smart Contracts — System contracts, bridge contracts, governance contracts, and any Foundation-deployed on-chain programs.
  • IBC Module — Cross-chain communication via the Inter-Blockchain Communication protocol, including packet handling, relay logic, and channel security.
  • AutheoID — The decentralized identity framework, including credential issuance, verification, and on-chain identity resolution.
  • Eigensphere AI — On-chain AI inference modules, model integrity verification, and related computational infrastructure.
  • Web Infrastructure — The Foundation's public-facing websites (including autheofoundation.org), APIs, block explorer, and associated backend services.

The following are out of scope and should not be reported under this policy:

  • Third-party applications, protocols, or services built on or integrated with the Autheo network that are not maintained by the Foundation.
  • Social engineering attacks (including phishing) against Foundation personnel or community members.
  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.
  • Vulnerabilities that have already been reported to the Foundation or are already publicly known.
  • Issues in software or infrastructure that the Foundation does not own or control.

III. How to Report

If you have discovered a security vulnerability, please report it by sending an email to security@autheofoundation.org. Your report should include the following information:

  • Description — A clear and detailed description of the vulnerability, including which component or system is affected.
  • Steps to Reproduce — A step-by-step guide to reproduce the vulnerability. Include any tools, scripts, payloads, or configurations used.
  • Impact Assessment — Your assessment of the potential impact of the vulnerability, including what an attacker could achieve by exploiting it.
  • Suggested Fix — If you have a recommendation for how to remediate the vulnerability, please include it. This is optional but appreciated.

For sensitive or high-severity reports, we strongly encourage you to encrypt your email using the Foundation's PGP public key. The key is published at autheofoundation.org/.well-known/security.txt.

IV. What to Expect

The Foundation is committed to responding to vulnerability reports promptly and transparently. After you submit a report, you can expect the following timeline:

  • Acknowledgment — We will acknowledge receipt of your report within 48 hours.
  • Initial Triage — Our security team will perform an initial assessment and classify the severity of the vulnerability within 5 business days.
  • Resolution Targets — We aim to resolve confirmed vulnerabilities according to their severity:
    • Critical: 7 days
    • High: 14 days
    • Medium: 30 days
    • Low: 60 days
  • Ongoing Communication — We will keep you informed of our progress throughout the investigation and remediation process. You will be notified when the vulnerability has been resolved.

Please note that resolution timelines may vary depending on the complexity of the issue. In all cases, we will communicate any delays and provide regular status updates.

V. Safe Harbor

The Autheo Foundation values the contributions of security researchers and is committed to working with the community in good faith. To encourage responsible disclosure, we provide the following safe harbor provisions:

  • The Foundation will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy.
  • The Foundation will not file complaints with law enforcement against researchers acting in good faith under this policy.

To qualify for safe harbor, you must:

  • Act in good faith and comply with this policy.
  • Avoid privacy violations — do not access, collect, or disclose personal data of users or Foundation personnel.
  • Avoid data destruction — do not delete, modify, or corrupt data on any Autheo system.
  • Avoid service disruption — do not degrade, interrupt, or impair the availability or performance of any Autheo service or network.
  • Give the Foundation reasonable time to investigate and remediate the vulnerability before making any public disclosure.

VI. Reward Guidelines

The Autheo Foundation may offer monetary rewards to researchers who report valid, previously unknown vulnerabilities in accordance with this policy. Rewards are determined at the Foundation's sole discretion based on the severity of the vulnerability:

  • Critical: Up to $100,000
  • High: Up to $25,000
  • Medium: Up to $5,000
  • Low: Up to $1,000

Factors that may affect the reward amount include:

  • Quality of the report — Clear, detailed reports with complete reproduction steps receive higher consideration.
  • Impact — Vulnerabilities with greater potential impact on users, funds, or network integrity are weighted more heavily.
  • Novelty — Unique or previously unknown vulnerability classes may receive additional consideration.

Duplicate reports will not receive a reward. Only the first reporter of a given vulnerability is eligible for a reward. The Foundation reserves the right to adjust reward amounts or decline to issue a reward for reports that do not meet the requirements of this policy.

VII. Responsible Conduct

When conducting security research on Autheo systems, you must not:

  • Publicly disclose the vulnerability before the Foundation has had reasonable time to investigate and remediate it.
  • Access data beyond what is strictly necessary to demonstrate the vulnerability.
  • Modify, delete, or exfiltrate data from any Autheo system.
  • Disrupt, degrade, or impair the availability of any Autheo service or network component.
  • Use the vulnerability to attack or exploit users, validators, or other participants in the Autheo ecosystem.

You should:

  • Minimize the impact of your testing on live systems and real users.
  • Use test accounts and test environments whenever possible.
  • Delete any data acquired during your research promptly after submitting your report.
  • Report vulnerabilities as soon as reasonably possible after discovery.

VIII. Recognition

The Autheo Foundation believes in recognizing the contributions of security researchers who help protect our ecosystem. With the researcher's permission, we may:

  • Credit the researcher by name (or pseudonym) in the security advisory published for the resolved vulnerability.
  • Include the researcher in the Foundation's Security Hall of Fame, a public acknowledgment of individuals who have made significant contributions to the security of the Autheo network.

If you wish to remain anonymous, we will respect that preference. Credit and recognition are always at the researcher's discretion.

IX. Changes to This Policy

The Autheo Foundation reserves the right to modify or update this Responsible Disclosure Policy at any time. Changes will be reflected on this page with an updated "Last Updated" date. We encourage you to review this policy periodically to stay informed of any changes. Your continued participation in the responsible disclosure program following any updates constitutes acceptance of the revised policy.

X. Contact

If you have any questions about this Responsible Disclosure Policy, or if you wish to report a security vulnerability, please contact us at:

Autheo Foundation — Security Team
Email: security@autheofoundation.org
PGP Key: autheofoundation.org/.well-known/security.txt
Website: autheofoundation.org