If you discover a security vulnerability in VetoNet, please report it responsibly:

• Email: security@veto-net.org
• GitHub Security Advisories: Use the Security Advisories tab to report privately.

Please do not open a public GitHub issue for security vulnerabilities.

• Acknowledgment: Within 48 hours of receiving your report.
• Fix timeline: Within 7 days of acknowledgment, we will provide a timeline for a fix or mitigation.

The following are considered in-scope vulnerabilities:

• Bypassing VetoNet checks (deterministic, ML, or LLM layers)
• Authentication bypass (API key validation, session handling)
• Data leakage (exposure of API keys, user data, or internal state)

The following are not considered vulnerabilities:

• Red team challenge playground bypasses (these are expected and tracked as part of the challenge)
• Denial of Service (DoS) attacks

Security researchers who report valid vulnerabilities will be credited in our release notes and security advisories, unless they prefer to remain anonymous. Let us know your preference when reporting.