Security.

If you've found a security issue, send it to hello@ligate.io. If you want to encrypt it, use our PGP key published at ligate.io/.well-known/security.txt.

Please don't disclose publicly before we've had a chance to fix. We'll credit you in the advisory once remediated.

In scope:

• Ligate chain modules (Sovereign SDK crates in chain/).
• Proof of Prompt spec and attestor behaviour.
• Kleidon smart contracts (EVM Foundry + Solana Anchor).
• The operator dashboard, API, and SDKs.
• Ligate Labs websites: ligate.io, themisra.xyz, kleidon.xyz, docs.ligate.io.

Out of scope:

• Third-party dependencies (please report upstream).
• Denial-of-service attacks that require volume we clearly haven't provisioned for.
• Social engineering our team or users.
• Physical attacks on our offices or hardware.

If you research in good faith, stay within scope, don't degrade the experience for other users, and don't exfiltrate more data than you need to prove the finding, we won't pursue legal action against you. We'll also argue on your behalf if a third party tries to.

We aim for:

• Initial reply within 48 hours.
• Triage decision within 5 business days.
• Fix timeline communicated once severity is assessed. Critical issues patched as fast as humanly possible; high-severity within 30 days; lower-severity on a rolling release.

Pre-launch, we don't run a paid bug bounty. Post-mainnet we'll launch one via Immunefi or equivalent.

Researchers who have helped us will be listed here by name (or handle) after their findings are public. None yet — be the first.