The Rules section of CONTRIBUTING.md (line 4–5 of Rules block) instructs reporters to contact security@apn.tech before any public disclosure for "traffic leaks, credential exposure, data loss." The $50 reward tier defined in the same file adds "kill-switch failures" alongside traffic leaks and data loss. Kill-switch failures expose user traffic whenever the tunnel drops unexpectedly — they carry the same privacy risk as a leak and belong in the private disclosure list.
A reporter who discovers a kill-switch failure has no way to know from the current text whether to file a public issue or to email security@apn.tech first. Omitting it from the private disclosure requirement creates a gap between the reward tier and the responsible-disclosure policy.
Proposed fix: extend the security-contact sentence in CONTRIBUTING.md to read "traffic leaks, kill-switch failures, credential exposure, or data loss" so the private disclosure list matches the $50 tier.
The Rules section of CONTRIBUTING.md (line 4–5 of Rules block) instructs reporters to contact
security@apn.techbefore any public disclosure for "traffic leaks, credential exposure, data loss." The $50 reward tier defined in the same file adds "kill-switch failures" alongside traffic leaks and data loss. Kill-switch failures expose user traffic whenever the tunnel drops unexpectedly — they carry the same privacy risk as a leak and belong in the private disclosure list.A reporter who discovers a kill-switch failure has no way to know from the current text whether to file a public issue or to email
security@apn.techfirst. Omitting it from the private disclosure requirement creates a gap between the reward tier and the responsible-disclosure policy.Proposed fix: extend the security-contact sentence in CONTRIBUTING.md to read "traffic leaks, kill-switch failures, credential exposure, or data loss" so the private disclosure list matches the $50 tier.