Skip to content

CONTRIBUTING.md private disclosure rule omits kill-switch failures from the security@ contact list #145

Description

@bibonix

The Rules section of CONTRIBUTING.md (line 4–5 of Rules block) instructs reporters to contact security@apn.tech before any public disclosure for "traffic leaks, credential exposure, data loss." The $50 reward tier defined in the same file adds "kill-switch failures" alongside traffic leaks and data loss. Kill-switch failures expose user traffic whenever the tunnel drops unexpectedly — they carry the same privacy risk as a leak and belong in the private disclosure list.

A reporter who discovers a kill-switch failure has no way to know from the current text whether to file a public issue or to email security@apn.tech first. Omitting it from the private disclosure requirement creates a gap between the reward tier and the responsible-disclosure policy.

Proposed fix: extend the security-contact sentence in CONTRIBUTING.md to read "traffic leaks, kill-switch failures, credential exposure, or data loss" so the private disclosure list matches the $50 tier.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions