Lattice Lattice

Security disclosure policy.

Found a vulnerability in Lattice? Please tell us. We promise to listen, fix it, and credit you. Below is the policy in detail.


1. How to contact us.

Send a private (DM) message tagged SECURITY to the project account in our Matrix room. Matrix DMs are end-to-end encrypted by default. If the issue is sensitive enough that even Matrix metadata feels too revealing, ask in the room for our PGP public key and switch to that. But the absence of PGP is never a reason to delay reporting.

2. What we promise.

3. What we ask of you.

4. Disclosure timeline.

We support coordinated disclosure with reasonable timelines. The default schedule for a confirmed vulnerability:

We will not request indefinite embargoes. If a vulnerability cannot be fixed within a reasonable window, we will publish the workaround and the limit of the fix together.

5. Scope.

In scope:

Out of scope:

6. Bug bounty.

We don't run a paid bug bounty at launch. Bug bounties need dedicated triage staff, and we don't have that yet. A mismanaged bounty programme is worse than none, so we'll revisit when the project has the resources to do it well.

In the meantime, public credit and full safe-harbour. Researchers who find substantive issues will be acknowledged in release notes, in the advisory, and (with permission) on a project hall-of-fame page.

7. Audit history.

External audits commissioned and published:

Audits in flight: