Security is one of the top priorities at Xpring, and we value the security community. The responsible disclosure of vulnerabilities helps us ensure the security and privacy of users of the project.

We expect all researchers to:

1. Refrain from malicious acts that put our users, the project, or any of the project's team members at risk.

2. Perform research only within the scope set out below.

3. Use the identified secure communication channels mentioned below to report vulnerability information to us; and

4. Keep information about any vulnerabilities that you’ve discovered confidential between yourself and Xpring until we’ve had 90 days to resolve the issue.

If you believe you’ve discovered a security vulnerability in one of our repositories, please use the following means of communications to report it to us:

Send an email to bugs@ripple.com with subject [Security Vulnerability] <Brief Description>.

Please include the following details with your report:

1. Description and potential impact of the vulnerability.

2. A detailed description of the steps required to reproduce the vulnerability (Proof-of-Concept scripts, screenshots, etc).

Please make sure to communicate the above information in encrypted form using our public key.

If you follow these guidelines when reporting an issue to us, we commit to:

1. Not pursue or support any legal action related to your research.

2. Provide an initial confirmation of your report within 72 hours of submission.

3. Work with you to understand and resolve the issue quickly.

This policy applies to all public repositories inside of the xpring-eng GitHub organization.