Thanks for helping keep OpenTrustEngine and its users safe.
Please do not file a public issue for security problems.
Use one of the private channels below:
- 🔒 GitHub Security Advisory — preferred, end-to-end encrypted with maintainers: https://github.com/deepakfq/opentrustengine/security/advisories/new
- 📧 Email —
security@opentrustengine.comordeepak@freaquer.comInclude[SECURITY]in the subject line.
Please include:
- A clear description of the issue and the affected component (
@ote/sdk/@ote/widget/ connector / hosted API) - Reproduction steps or proof-of-concept
- The version(s) you tested
- Your assessment of the impact (data exposure, score manipulation, denial of service, etc.)
| Stage | SLA |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial triage | Within 5 business days |
| Fix or mitigation | Within 30 days for critical / high severity |
| Coordinated disclosure | After fix is shipped, with credit (unless you prefer anonymity) |
| In scope | Out of scope |
|---|---|
Public hosted APIs at api.opentrustengine.com, api.onetrustengine.com, verify.onetrustengine.com |
Third-party connector misconfiguration (your Razorpay/Cashfree credentials are your responsibility) |
Published npm packages @ote/* |
Forks or modified self-hosted deployments not following our docs |
| TrustSign signature forgery / verification bypass | Issues in upstream dependencies (please report to those projects) |
| Authentication / authorisation flaws | Social engineering, physical attacks, denial-of-service via volumetric flooding |
| Score manipulation via undocumented vectors | Issues already covered by the public roadmap (e.g. WTS not yet implemented) |
A formal bug-bounty programme is planned. Until it is announced, we acknowledge serious reports publicly (with permission) and offer a token gift (₹5,000–₹50,000 depending on severity) for valid critical findings.
PGP support is planned for the security@opentrustengine.com address. Until then, please use the GitHub Security Advisory channel for sensitive details.
Maintainer: Deepak Kumar Dwivedi, Freaquer.