We take security seriously. If you discover a security vulnerability, please follow these steps:

• Open a public GitHub issue
• Discuss the vulnerability publicly
• Exploit the vulnerability

1. Email us privately at [security@oink.io] (replace with actual email)

2. Include details:

   • Type of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

3. Wait for response within 48 hours

1. Acknowledgment: We'll acknowledge receipt within 48 hours
2. Assessment: We'll assess the vulnerability within 7 days
3. Fix: Critical vulnerabilities will be patched within 14 days
4. Disclosure: We'll coordinate public disclosure with you

The core security invariant of this bridge:

INVARIANT: totalOinkLocked === totalMidoinkMinted

This is enforced by:

• Smart contract logic (cannot mint without lock)
• State manager assertions on every operation
• Verification tests on every code change

For production deployment:

• Use Hardware Security Modules (HSM)
• Implement key rotation
• Geographic distribution of validators
• Threshold signatures

1. Centralization: Current 3-validator setup is semi-centralized
2. Emergency unlock: 7-day timeout could delay recovery
3. Cross-chain latency: Operations require confirmations on both chains

We plan to launch a bug bounty program covering:

Details will be published when the program launches.

• Security issues: [security@oink.io]
• General inquiries: [info@oink.io]

Audit reports will be published here once completed:

• Smart contract audit (pending)
• Penetration testing (pending)
• Code review (pending)