We take the security of Ordo seriously. If you discover a security vulnerability, please follow responsible disclosure practices.
DO NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues to:
- Email: security@ordo.com
- Subject: [SECURITY] Brief description of the issue
Please provide as much information as possible:
- Description - Clear explanation of the vulnerability
- Impact - What an attacker could achieve
- Steps to Reproduce - Detailed reproduction steps
- Proof of Concept - Code or commands demonstrating the issue
- Suggested Fix - If you have ideas on how to fix it
- Your Contact Info - So we can follow up with questions
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (see below)
- Remote code execution
- Private key exposure
- Unauthorized fund transfers
- Complete system compromise
- Authentication bypass
- Privilege escalation
- SQL injection
- Significant data exposure
- Cross-site scripting (XSS)
- Information disclosure
- Denial of service
- Logic errors affecting security
- Minor information leaks
- Best practice violations
- Non-exploitable bugs
The following components are in scope:
Smart Contracts
- Agent Registry Program (
programs/agent-registry/) - All on-chain instructions and state management
Backend Services
- API Server (
src/api/) - Database operations (
src/database/) - Authentication/authorization
DeFi Integration
- Token swap logic (
src/defi/) - Wallet management (
src/identity/) - Transaction signing
Web & Mobile
- Web application (
web/) - Mobile application (
mobile/)
- Third-party dependencies (report to the maintainer)
- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Issues in test/development code
We offer bug bounties at our discretion based on:
- Severity of the vulnerability
- Quality of the report
- Impact on users and the platform
Reward Range: Up to 10% of value at risk, capped at $10,000
Conditions:
- Details must not be shared with third parties before a fix is deployed
- Reporter must not exploit the vulnerability
- Reporter must not access user data beyond what's necessary to demonstrate the issue
- Issues already known to us
- Issues found in code not yet deployed to production
- Theoretical vulnerabilities without proof of concept
- Vulnerabilities requiring unlikely user interaction
- Issues found through automated scanning without validation
When contributing code:
- Never commit secrets - No API keys, private keys, or passwords
- Validate all inputs - Assume all user input is malicious
- Use parameterized queries - Prevent SQL injection
- Check permissions - Verify authorization for all operations
- Handle errors securely - Don't leak sensitive information
- Keep dependencies updated - Run
npm auditregularly
To stay secure:
- Keep your private keys safe - Never share them
- Verify transactions - Check details before signing
- Use hardware wallets - For large amounts
- Enable 2FA - Where available
- Keep software updated - Use the latest version
- Anchor Framework - Type-safe Rust framework
- Account Validation - Strict checks on all accounts
- Signer Verification - Required for sensitive operations
- Integer Overflow Protection - Checked arithmetic
- Access Control - Role-based permissions
- Authentication - JWT-based with secure sessions
- Authorization - Role-based access control (RBAC)
- Rate Limiting - Prevent abuse and DoS
- Input Validation - All inputs sanitized
- Encryption - Sensitive data encrypted at rest and in transit
- HTTPS Only - All traffic encrypted
- Security Headers - CSP, HSTS, X-Frame-Options
- Regular Audits - Automated and manual security reviews
- Monitoring - Real-time security event detection
- Backups - Regular encrypted backups
When you report a vulnerability:
- We will acknowledge receipt within 48 hours
- We will provide regular updates on our progress
- We will not take legal action against good-faith security research
When reporting a vulnerability:
- Give us reasonable time to fix the issue before public disclosure
- Do not access or modify user data beyond what's necessary
- Do not exploit the vulnerability for personal gain
- Do not disclose the issue to others until we've fixed it
We follow a 90-day disclosure timeline:
- Day 0: Vulnerability reported
- Day 7: Fix developed and tested
- Day 14: Fix deployed to production
- Day 90: Public disclosure (if not fixed, we may disclose earlier)
We may request an extension if the fix is complex or requires coordination with other parties.
- None yet - Project is in active development
- Claude Code Security - AI-powered vulnerability discovery
- Manual Code Review - Human security researchers
- Penetration Testing - Simulated attacks on production systems
When available, audit reports will be published at:
Security updates are announced via:
- GitHub Security Advisories - https://github.com/agentic-reserve/ORDO/security/advisories
- Discord - Security channel (link in README)
- Twitter - @OrdoPlatform
- Email - security@ordo.com mailing list
- Critical: Immediate deployment, users notified
- High: Deployed within 7 days, users notified
- Medium/Low: Included in next regular release
For security-related questions or concerns:
- Email: security@ordo.com
- PGP Key: Available on request
- Response Time: Within 48 hours
For general questions, use:
- GitHub Discussions: https://github.com/agentic-reserve/ORDO/discussions
- Discord: (link in README)
We thank the following security researchers for responsibly disclosing vulnerabilities:
- Your name could be here!
This security policy is subject to change without notice. By reporting a vulnerability, you agree to these terms.
Last updated: February 2026