Vulnerability Disclosure Policy

We welcome security research on JIL Sovereign infrastructure. This policy defines scope, reporting channels, safe-harbor terms, and our response commitments. Report first, publish later.

Reporting a Vulnerability

Send findings to our security team through one of the channels below. Encrypt sensitive details using our PGP key.

Email (preferred) contact@jilsovereign.com

PGP key /.well-known/pgp-key.asc

security.txt /.well-known/security.txt

Please include: affected asset (URL / service / contract / API), reproduction steps, expected vs. actual behavior, impact assessment, and any supporting proof-of-concept. Video / screen-recording is welcome.

Scope

In scope

*.jilsovereign.com and *.getjil.com production assets
Public API endpoints (jilsovereign.com/api/*, wallet.getjil.com/api/*)
Signed-envelope / canonical-JSON verification logic in @jil/fleet-signer
MPC cosigner key-generation and signing paths
Settlement receipt renderer determinism + signature binding
Trust-bundle distribution and rotation
Smart contracts: JILBridge, JILTreasury, JILTokenSwap, JILTokenSale
Solana program jil_bridge

Out of scope

Denial-of-service attacks, volumetric or protocol-level
Social engineering of employees, customers, or vendors
Physical access to our infrastructure
Findings based solely on outdated browsers or unpatched client OS
Missing security headers that do not lead to demonstrable exploitation
Self-XSS, clickjacking on pages with no sensitive actions
Third-party SaaS (Cloudflare, Hetzner, GitHub) - report upstream
Automated scanner output without manual validation

Safe Harbor

We will not pursue civil or criminal action against researchers who:

Make a good-faith effort to follow this policy
Avoid accessing, modifying, or exfiltrating data beyond what is minimally necessary to demonstrate the finding
Do not degrade service availability
Do not publicly disclose before coordinated disclosure timeline below

If in doubt whether a test is in scope, contact us first.

Response Timelines

Severity	First response	Triage	Target fix	Disclosure
Critical	24 hours	72 hours	30 days	Coordinated, ≥ 90 days after fix
High	3 business days	7 business days	60 days	Coordinated, ≥ 90 days after fix
Medium	5 business days	14 business days	90 days	Coordinated
Low / Informational	10 business days	30 business days	Best effort	Optional

Severity is assigned using CVSS v3.1 plus our own context-weighted triage. We publish fix confirmation to the reporter before public disclosure.

Bounty Program

A formal bounty program is planned following completion of our external security audits (MPC cosigner, fleet-signer, bridge contracts). Scope and payout tiers will be published here. Until then, qualifying reports are eligible for retroactive recognition in the hall of fame below and swag (shirt / stickers). Monetary rewards for severe findings may be awarded at our discretion.

Hall of Fame

Researchers who have responsibly disclosed security findings are acknowledged here with their permission.

This list updates as reports are coordinated and fixed.

What We Ask You Not Do

Do not test against customer accounts or data you do not own. Use our sandbox or your own test account.
Do not run automated scanners against production. Contact us for a sandbox endpoint.
Do not publicly disclose before coordinated timeline above.
Do not attempt to extract, modify, or destroy production data.
Do not contact customers, employees, or third parties as part of an exploit chain.