Contact: contact@gone.wtf
Preferred-Languages: en
Canonical: https://gone.wtf/.well-known/security.txt
Policy: https://gone.wtf/security-policy
Acknowledgments: https://gone.wtf/security-acknowledgments

# Security Policy for GONE Privacy Mixer

## ZK Protocol Security

ZK Protocol: Light Protocol (CmtHVz7C4mRhk3UKNs2BjPZVKPMbB6x86wwghHKzeKZy)
Network: Solana Mainnet
Privacy Focus: Anonymous transaction mixing with zero-knowledge proofs

## Scope

The following components are in scope for security disclosures:

1. ZK Privacy Mixer Protocol
   - Light Protocol Integration: CmtHVz7C4mRhk3UKNs2BjPZVKPMbB6x86wwghHKzeKZy
   - Note System: gone-0.2.0-[base64-private-key]-[hash]
   - Compressed Account Management

2. Frontend Application
   - URL: https://gone.wtf/mixer
   - Technology: Next.js, React, Solana Web3.js, Light Protocol

## Reporting a Vulnerability

If you discover a security vulnerability, please report it by:

1. Email: security@gone.wtf
2. Include:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if any)

## Response Timeline

- Initial response: Within 48 hours
- Status update: Within 7 days
- Fix deployment: Depends on severity (critical within 24h)

## Bug Bounty

We appreciate responsible disclosure and may offer rewards for:
- Critical vulnerabilities: Up to $5,000 USDC
- High severity: Up to $2,500 USDC
- Medium severity: Up to $1,000 USDC
- Low severity: Recognition in acknowledgments

## Out of Scope

- Social engineering attacks
- DDoS attacks
- Issues in third-party dependencies
- Previously known issues

## Safe Harbor

We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations
- Don't exploit the vulnerability beyond verification
- Don't access or modify user data
- Report vulnerabilities promptly
- Don't publicly disclose until we've addressed the issue

Thank you for helping keep GONE secure!