Report vulnerabilities safely & responsibly

We appreciate security research. If you believe you’ve found a vulnerability, please follow the policy below. We will work with you to investigate and remediate.

Submit a vulnerability Get PGP key

Policy summary

Please do not publicly disclose issues before we have had a reasonable time to remediate. Make a good‑faith effort to avoid privacy violations, destruction of data, service degradation, or disruption.

Safe harbor

We will not initiate legal action for good‑faith research aligned with this policy. Activities should be limited to systems in scope, respect rate limits, and avoid affecting other users.

Scope (in‑scope targets)

*.monolith.xyz web applications (production and sandbox)
Public APIs and webhooks published in our Docs
Mobile/desktop clients distributed by Monolith

Out of scope

Social engineering, physical security, or third‑party platforms
Denial of service, spam, or automated account creation
Best‑practice suggestions without demonstrable security impact

How to report

Email security@monolith.xyz with a clear description, steps to reproduce, affected endpoints, and impact. Encrypt sensitive details with our PGP key below.

PGP key & fingerprint

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: Monolith Security
Comment: Example key for disclosure page

(Ask for the latest key via security@monolith.xyz)
-----END PGP PUBLIC KEY BLOCK-----

Fingerprint: 9F2A D4C3 2B77 1A4E 8C01 7E9B 2E10 A5C9 D3EE 42AA

Response targets (SLA)

Acknowledgement: within 2 business days
Initial triage & severity: within 5 business days
Remediation timeline: depends on severity and complexity

Severity guidance

Level	Examples
Critical	Auth bypass, RCE, key exfiltration
High	Privilege escalation, IDOR with sensitive data
Medium	CSRF with state change, stored XSS in limited scope
Low	Open redirects, verbose errors

Recognition & rewards

We operate a discretionary recognition program for impactful reports (hall of fame and, where applicable, rewards). We do not offer bounties for out‑of‑scope issues.

Legal notes

By submitting a report, you confirm you are not violating any laws or agreements. Testing must avoid accessing data of other users. If you encounter personal data, stop, minimize access, and report immediately.