If you discover a security vulnerability in Flatline, please do not open a public issue.

Instead, report it privately:

• Email: [email protected]
• Subject: [SECURITY] <brief description>

Include as much detail as possible:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 1 week
• Fix or mitigation: Depends on severity, but we aim for resolution within 30 days for critical issues

The following are in scope:

• Smart contract vulnerabilities (programs/flatline/)
• Backend API security issues (services/backend/)
• Frontend security issues (flatline-frontend/)
• Keeper/liquidation logic (services/keeper/)
• Oracle manipulation or price feed attacks

The following are out of scope:

• Denial of service attacks against public RPCs
• Social engineering
• Issues in third-party dependencies (report these upstream)

We do not currently have a formal bug bounty program. Significant findings will be credited in release notes (with your permission) and we're open to discussing compensation for critical vulnerabilities on a case-by-case basis.

The protocol has undergone a security audit. Key fixes (C-01, C-02, H-01 through H-04) have been implemented and are documented in the codebase. See CLAUDE.md for details on specific fixes.

We ask that you:

• Give us reasonable time to address the issue before public disclosure
• Avoid exploiting the vulnerability beyond what is necessary to demonstrate it
• Do not access or modify other users' data or funds