| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
Do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Target: Within 30 days for critical issues
MirrorDNA is built with security as a core principle:
- No Silent Profiling — All data collection requires explicit consent
- Local-First — Sensitive data stays on user devices by default
- Cryptographic Integrity — State changes are signed and verifiable
- Minimal Attack Surface — No unnecessary network exposure
- Audit Trail — All operations are logged for transparency
- API keys should never be committed to repositories
- Use environment variables for sensitive configuration
- Validate all inputs at system boundaries
- Review MirrorGate enforcement rules before deployment
We appreciate security researchers who help keep MirrorDNA secure. While we don't have a formal bug bounty program, we will:
- Credit researchers in release notes (with permission)
- Provide a reference letter upon request
- Consider swag/merchandise for significant findings
Part of the MirrorDNA Ecosystem