This security policy applies to all repositories under the aumos-ai GitHub organization, including protocol specifications, SDKs, integrations, tooling, and research repositories.
Do not open a public GitHub issue for security vulnerabilities.
Report security vulnerabilities by emailing [email protected]. Include as much of the following as you can:
- A description of the vulnerability and its potential impact
- The affected repository or repositories
- Steps to reproduce the issue
- Any proof-of-concept code or examples (if safe to share)
- Your assessment of severity (critical, high, medium, low)
Encrypt sensitive reports using our PGP key if needed — contact [email protected] to request it.
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours of receipt |
| Initial triage and severity assessment | Within 7 days |
| Resolution or remediation plan | Within 90 days for critical/high; 180 days for medium/low |
| Public disclosure | Coordinated with reporter after patch is available |
We follow coordinated disclosure. We ask that you give us time to investigate and release a fix before publishing details publicly. We will keep you informed of progress throughout the process.
AumOS does not currently operate a paid bug bounty program. However, we sincerely appreciate responsible disclosure and will publicly credit reporters (with permission) in release notes and the relevant repository's CHANGELOG.
If you report a vulnerability that results in a significant security improvement, we may offer recognition in the form of a contributor credit in the affected project.
The following are not in scope for security reports:
- Social engineering of maintainers, staff, or community members
- Denial of service (DDoS) attacks against infrastructure
- Physical security of any facilities
- Vulnerabilities in third-party dependencies — please report those to the upstream maintainer directly, and notify us if they affect an AumOS component
- Self-XSS or attacks requiring the victim to run malicious code themselves
- Issues in repositories archived or explicitly marked end-of-life
- Theoretical vulnerabilities with no demonstrated impact or exploit path
We only provide security fixes for the latest stable release of each SDK and tool. Protocol specification vulnerabilities are addressed regardless of version, as specifications are not versioned the same way as software.
Once a vulnerability is resolved, we will publish a security advisory on the affected repository within 30 days. The advisory will credit the reporter (with permission), describe the vulnerability at a level of detail appropriate for defenders, and link to the fix.
Copyright 2026 MuVeraAI Corporation.