Report security bugs in Affinidi Core via email: security@affinidi.com

Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your report within 48 hours indicating the next steps in handling your submission.

After the initial conversation about your report, the security team will try their best to keep you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.

The timeline would look something like:

• The security report is received and is assigned a primary handler. The problem is confirmed and a list of all affected versions is determined. Code is audited to find any potential similar problems. Fixes are prepared for all releases which are still under maintenance.
• Once a fix is ready, primary handler together with the team will coordonate a release.
• If you've contributed the fix, you will be mentioned (and probably credited) for it.

Right now Affinidi is not running paid Bug Bounty program.

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) of Affinidi staff or contractors
• Any physical attempts against Affinidi property or cloud hosted environments

Here is the security disclosure policy

• Keep confidential information about discovered vulnerabilities or other findings for 90 calendar days.
• No exploitation shall be attempted on the vulnerability, our security analysts will carry out the POC for your reported vulnerability.
• Beside what is already mentioned in the (## Exclusions section), please avoid privacy violations, data exfiltration and manipulation.

Thank you for improving the security of Affinidi and keeping our users safe!