Email security@openwyrd.org with details. We are pre-launch and do not yet publish a maintainer PGP key; treat the channel accordingly. For findings sensitive enough that plaintext-on-a-forwarder is unacceptable, request the key in your initial mail and we will arrange out-of-band exchange.

A maintainer PGP key will be published here once it exists. The key fingerprint will be cross-publishable at https://keys.openpgp.org and https://openwyrd.org/.well-known/maintainer.asc.

90 days from initial report. We will:

• Acknowledge receipt within 72 hours.
• Confirm or refute the issue within 14 days.
• Coordinate a fix and a public disclosure date.
• Credit the reporter in the disclosure unless they request otherwise.

If we cannot ship a fix within 90 days, we will say so publicly and explain why. Indefinite embargoes are not on the table.

This policy covers:

• The MOP spec (logical flaws, ambiguity that admits insecure implementations).
• The conformance suite (vectors that mask bugs rather than catch them).
• Reference implementations under github.com/openwyrd/* (the codebase, not deployments).

Operational issues with hosted deployments (e.g., a specific sendwyrd.com outage) belong to that host's operator, not the protocol.

• Vulnerabilities in dependencies — file with the dependency; we'll respond to advisories that affect us.
• Self-inflicted attacks (a recipient leaks their own URL; the protocol does not promise to save them from themselves).
• Plaintext content the user themselves placed in a wyrd.

Not yet. We will not waste your time pretending to run a bounty program before we have an audited codebase and the resources to honor payouts. If that changes, this section will say so.