AeroNyx Security and Vulnerability Disclosure Policy

AeroNyx6 июля 2026 г.5 мин чтения14 просмотров

Explains safe, responsible vulnerability reporting for AeroNyx users, researchers, developers, and node operators.

AeroNyx Security and Vulnerability Disclosure Policy

Effective date: July 6, 2026

AeroNyx is an open privacy protocol and product ecosystem. Security researchers, users, node operators, and developers can help protect AeroNyx by reporting vulnerabilities responsibly.

This policy explains how to report security issues, what research is authorized, what activity is prohibited, and how AeroNyx coordinates remediation and disclosure.

1. Scope

This policy applies to AeroNyx-operated services and official AeroNyx software, including:

  • official AeroNyx websites and documentation
  • official AeroNyx apps and APIs
  • Nodeboard and related management surfaces
  • official discovery, bootstrap, public statistics, and control-plane services
  • official open-source AeroNyx repositories
  • official AeroNyx protocol node software released by AeroNyx

This policy does not authorize testing against independent node operators, third-party providers, app stores, RPC providers, model providers, payment processors, hosting providers, user devices, or destination services without their separate permission.

2. How to Report

Send security reports to hi@aeronyx.network with the subject line Security Report.

Please include:

  • affected product, repository, domain, API, or component
  • vulnerability type and impact
  • reproduction steps
  • proof of concept, if safe to share
  • affected versions or commits, if known
  • logs, screenshots, or request/response samples with secrets removed
  • whether the issue may already be exploited
  • your contact information and disclosure timeline expectations

Do not include private keys, seed phrases, real user data, decrypted user content, or unnecessary personal information in reports.

3. Safe Harbor for Good-Faith Research

AeroNyx will not pursue legal action against good-faith security research that complies with this policy, avoids privacy harm, avoids service disruption, and is promptly reported to AeroNyx.

Good-faith research must:

  • test only systems in scope or systems you own/control
  • avoid accessing, modifying, deleting, exfiltrating, or disclosing user data
  • avoid degrading, interrupting, or damaging services
  • stop testing and report promptly if you encounter sensitive data or unsafe behavior
  • give AeroNyx a reasonable opportunity to investigate and remediate before public disclosure

This safe harbor does not apply to extortion, threats, social engineering, physical attacks, malware, persistence, destructive testing, fraud, privacy invasion, or testing outside the authorized scope.

4. Prohibited Testing

Do not:

  • access or attempt to access accounts, wallets, devices, keys, or data that are not yours
  • decrypt or attempt to decrypt user content, MemChain objects, encrypted messages, or private traffic
  • perform denial-of-service, stress, load, or resource-exhaustion testing without written permission
  • run spam, phishing, malware, credential stuffing, or automated abuse
  • modify, delete, publish, sell, or exfiltrate data
  • attack independent nodes or third-party services without their authorization
  • attempt to deanonymize users, correlate private traffic, or map private social graphs
  • bypass payment systems, abuse rewards, or exploit production systems for financial gain
  • use social engineering against AeroNyx personnel, users, node operators, or partners
  • publicly disclose unresolved vulnerabilities before coordination unless required by law

5. Coordinated Disclosure

AeroNyx supports coordinated vulnerability disclosure. We ask researchers to report vulnerabilities privately first and allow reasonable time for triage, remediation, testing, and deployment.

Expected process:

  1. AeroNyx acknowledges receipt when practical.
  2. AeroNyx triages the report and may request additional information.
  3. AeroNyx validates impact and affected systems.
  4. AeroNyx develops, tests, and deploys remediation where needed.
  5. AeroNyx coordinates disclosure timing with the reporter when appropriate.

Disclosure timelines vary by severity, exploitation risk, affected components, third-party dependencies, and deployment complexity.

6. No Bug Bounty Unless Separately Announced

AeroNyx appreciates responsible reports, but this policy does not create a paid bug bounty program, reward obligation, employment relationship, contractor relationship, or right to compensation.

If AeroNyx launches a formal bounty program, the program terms will control eligible submissions and rewards.

7. Severity and Prioritization

AeroNyx prioritizes vulnerabilities based on potential impact, exploitability, affected users, affected nodes, privacy implications, fund/key risk, service availability, and active exploitation signals.

High-priority examples include:

  • private key, seed phrase, or user-held decryption material exposure
  • ability to decrypt user messages, MemChain objects, or private traffic
  • remote code execution
  • authentication or authorization bypass
  • command execution through Nodeboard or node management surfaces
  • route proof forgery or relay integrity failure
  • serious deanonymization or traffic-correlation vulnerabilities
  • payment, subscription, or entitlement bypass with security impact
  • vulnerabilities affecting many nodes or users

8. Independent Nodes and Third Parties

AeroNyx is an open protocol. Independent people and organizations may run compatible nodes. This policy does not authorize testing of independent nodes unless the operator separately permits it.

If a vulnerability affects official AeroNyx node software, report it to AeroNyx. If a vulnerability affects a specific independent operator's infrastructure or hosting environment, you may also need to notify that operator.

9. Public Keys and Secure Communication

AeroNyx may publish a dedicated security contact, PGP key, security.txt file, or vulnerability reporting portal in the future. Until then, use hi@aeronyx.network for initial reports and avoid sending unnecessary secrets.

10. Recognition

AeroNyx may acknowledge researchers who provide helpful, good-faith reports, unless the researcher requests anonymity or legal/security reasons prevent acknowledgment.

Recognition is at AeroNyx's discretion and does not imply compensation.

11. Changes

AeroNyx may update this policy as our protocol, products, threat model, and security program evolve.

12. Contact

For security reports:

AeroNyx Security
Email: hi@aeronyx.network
Subject: Security Report