Security disclosure policy.

Found a vulnerability in Lattice? Please tell us. We promise to listen, fix it, and credit you. Below is the policy in detail.

1. How to contact us.

Send a private (DM) message tagged SECURITY to the project account in our Matrix room. Matrix DMs are end-to-end encrypted by default. If the issue is sensitive enough that even Matrix metadata feels too revealing, ask in the room for our PGP public key and switch to that — but the absence of PGP is never a reason to delay reporting.

2. What we promise.

• Acknowledgement within 72 hours. A real human, not an autoresponder.
• Initial triage within 7 days. We will tell you whether we agree it's a vulnerability, our initial severity assessment, and roughly how we expect to handle it.
• Fix or documented mitigation within 90 days for critical issues. Less-critical issues may take longer, with a clear estimate. We will keep you informed.
• Public credit on disclosure (or anonymity if you prefer — your call).
• Safe-harbour against legal action by us for good-faith research that follows this policy. We will not threaten or pursue researchers who tell us about a problem before publicly disclosing it.
• Public advisory log at /advisories for every confirmed-fixed vulnerability. CVE assignment when applicable.

3. What we ask of you.

• Tell us privately first. Give us a reasonable window to fix before public disclosure.
• Don't access user data you don't own. If your research requires testing against a real account, set up two of your own.
• Don't disrupt the mesh. Fuzzing the local app is fine; flooding the live mesh with bad traffic is not.
• Don't ask for payment. We don't run a bug bounty programme yet (see §6 below). We will credit you publicly with appropriate emphasis.

4. Disclosure timeline.

We support coordinated disclosure with reasonable timelines. The default schedule for a confirmed vulnerability:

• Day 0 — receipt acknowledged, triage begins.
• Day 7 — initial assessment shared with reporter.
• Day 30 (typical) — fix in tree, beta tested.
• Day 60 — fix shipped to users.
• Day 60 + 14 days — public advisory published.
• Day 90 — researcher may publicly disclose regardless of fix status if we have failed to act in good faith. Critical issues warrant earlier public disclosure if our response is insufficient.

We will not request indefinite embargoes. If a vulnerability cannot be fixed within a reasonable window, we will publish the workaround and the limit of the fix together.

5. Scope.

In scope:

• The Lattice iOS app, the Lattice Android app, the lattice-* Rust crates, the lattice.fyi static site, the build / release tooling.
• Cryptographic vulnerabilities — protocol bugs, implementation bugs, side-channels in our code.
• Identity / key-management vulnerabilities — anything that could compromise a Bullet ID's secrecy or authenticity.
• Privacy leaks — anything where data we promised to keep private (message content, metadata, network presence beyond what's documented) leaks.
• Network-level vulnerabilities — anything where the mesh routing leaks information beyond what's documented in the threat model.

Out of scope:

• Bugs in third-party dependencies, unless we're using them in a way that creates the issue. Please report those upstream.
• Bugs in the underlying OS, Bluetooth stack, Wi-Fi stack — please report those to Apple / Google.
• "Vulnerabilities" that are documented limits of the threat model (e.g. "I can detect that someone is running Lattice from BLE adverts" — yes, that's in the docs).
• Social engineering, phishing of project maintainers.
• Denial-of-service via radio jamming. No software can defend against this.

6. Bug bounty.

We do not run a paid bug bounty at launch. The honest reason: bug bounties require dedicated triage staff, and we don't have that. A mismanaged bounty programme is worse than none. We will revisit when the project has the resources to do it well.

In the meantime, public credit and full safe-harbour. Researchers who find substantive issues will be acknowledged in release notes, in the advisory, and (with permission) on a project hall-of-fame page.

7. Audit history.

External audits commissioned and published:

• (none yet — pre-launch)

Audits in flight:

• Pre-v1.0 audit, scope: cryptography, identity, invite protocol, MLS integration. Engagement: in selection, expected with one of Trail of Bits / Cure53 / Latacora. Report will be published in full once any unfixed-critical issues are addressed.