Do not file public GitHub issues for security vulnerabilities.

Email security@sharedllm.org. At least two active maintainers monitor this address. Expect an acknowledgment within 72 hours and a status update within 7 days.

For sensitive reports, use the GPG key published at https://sharedllm.org/.well-known/security.asc (to be configured post-SFC-sponsorship).

• A description of the vulnerability and its impact.
• Steps to reproduce.
• Affected versions or commit hashes.
• Any suggested mitigations.

We follow coordinated disclosure. Once a fix is available and deployed on the main SharedLLM instance, we publish a security advisory via GitHub's advisory system. Credit is given to reporters who wish to be named.

In scope:

• The coordinator server (src/sharedllm/coordinator/)
• The node daemon (src/sharedllm/node/)
• The credit ledger (src/sharedllm/credits/)
• Any official SharedLLM-operated instance

Out of scope:

• Vulnerabilities in upstream dependencies (report to them, CC us)
• Vulnerabilities in llama.cpp (report to the llama.cpp project)
• Denial of service from a single malicious node — this is a known limitation of volunteer networks; report design issues via normal RFCs