DO NOT open a public issue for security vulnerabilities. We take this seriously.

Email: security@avotronom.xyz

Include:

1. Description of the vulnerability
2. Affected module(s) and version(s)
3. Steps to reproduce
4. Potential impact
5. Suggested fix (if any)

• Acknowledgment within 48 hours
• Initial assessment within 7 days
• Fix or mitigation within 30 days for critical issues
• Credit in the release notes (if you'd like)

In scope:

• All code in packages/ directory
• Production deployment at avotronom.xyz and api.avotronom.xyz
• Any deployed Solana program (future)

Out of scope:

• Issues in third-party dependencies (report upstream first; we'll patch when they do)
• Social engineering attacks
• Physical attacks
• DoS attacks (rate limits exist, but burst capacity is not a security issue)

We don't currently run a formal bounty program. For severe issues that we ship a fix for, we may send a token-of-appreciation payment in SOL. No promises.

Standard 90-day disclosure window from initial report. We may request extension for complex multi-vendor coordination. We will not pursue legal action against good-faith security research conducted under this policy.