BAPBA Protocol
Legal

Security Disclosure Policy

How to report security issues in Burning Ash Protocol — responsible disclosure, scope, and safe harbor.

Security Disclosure Policy

Last Updated: March 2026

Reporting a Security Issue

Do NOT open a public GitHub issue for security matters.

If you discover a security issue in Burning Ash Protocol, please report it responsibly.

Email: security@baprotocol.com

What to Include

  • Description of the issue
  • Steps to reproduce (if applicable)
  • Affected versions or components
  • Potential impact assessment

Response Timeline

StageTimeframe
AcknowledgmentWithin 48 hours
Initial assessmentWithin 5 business days
Status updatesEvery 7 days until resolution
Critical fixWithin 72 hours of confirmation

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized under applicable anti-hacking laws
  • Exempt from DMCA restrictions on circumvention
  • Conducted in good faith

We will not pursue legal action against researchers who:

  • Act in good faith and follow this policy
  • Avoid data destruction or degradation
  • Do not access or modify other users' data
  • Report issues promptly and allow reasonable remediation time

Scope

In Scope

  • Authentication & Authorization — JWT handling, admin panel access, Host login, Survivor OTP
  • Encryption Implementation — AES-256-GCM, Shamir's Secret Sharing, Ed25519 signing
  • Key Management — MASTER_KEY handling, DEK lifecycle, key splitting
  • API Security — Data exposure, injection, CSRF, rate limiting bypass
  • Will Transfer Protocol — Unauthorized access, premature or false transfer triggers
  • Liveness Check System — Bypass, false triggers, manipulation
  • Docker Configuration — Container escape, privilege escalation
  • Dependencies — Known CVEs in direct dependencies
  • Credential Handling — Storage provider OAuth tokens, connector credentials (SMTP, Twilio, Telegram)

Out of Scope

  • Social engineering attacks against BAP users or staff
  • Denial of service attacks
  • Issues in third-party services (Stripe, Google OAuth, Twilio)
  • Issues requiring physical access to the server
  • Outdated browsers or platforms
  • Self-hosted instances operated by third parties

Encryption-Specific Guidance

BAP's encryption model is central to its security promise. We especially value reports related to:

  • Weaknesses in the AES-256-GCM implementation
  • Shamir's Secret Sharing threshold bypass
  • MASTER_KEY exposure vectors
  • DEK leakage through side channels
  • Cryptographic timing attacks

Recognition

We credit reporters in release notes and maintain a Security Acknowledgments page (unless you prefer anonymity). Outstanding reports may be eligible for a discretionary reward.

PGP Key

For encrypted communication, our PGP key will be published at:

https://baprotocol.com/.well-known/pgp-key.asc

AGPL-3.0 Compliance Notice

Burning Ash Protocol AGPL-3.0 compliance notice — source code availability, your rights, and license obligations.

Frequently Asked Questions

Common questions about Burning Ash Protocol — general, security, and troubleshooting.

On this page

Security Disclosure PolicyReporting a Security IssueWhat to IncludeResponse TimelineSafe HarborScopeIn ScopeOut of ScopeEncryption-Specific GuidanceRecognitionPGP KeyRelated