Skip to content

Security: collectiv-ai/collectiv-ai.github.io

Security

Report a vulnerability

SECURITY.md

Security Policy – CollectiVAI

CollectiVAI is an experimental, pre-production project.
Even so, we take security and responsible disclosure seriously.

This policy applies to all repositories under the collectiv-ai organisation.

1. Supported repos

Security reports are most relevant for:

  • collectiv-ai-app – iOS / iPadOS / macOS client
  • collectiv-ai-app-chain – Cosmos-based App-Chain (pre-alpha)
  • collectiv-ai.github.io – website & public docs
  • any future backend / routing components

Other repositories (branding, business plan, about-founder, sponsors, etc.)
are mostly documentation and less security-critical, but you can still report issues.

2. Reporting a vulnerability

If you believe you have found a security issue, please do not open a public issue.

Instead, contact:

  • E-mail: info@collectivai.org
    Subject suggestion: SECURITY – <short summary>

Please include:

  • which repository and component is affected,
  • a short description of the issue,
  • how to reproduce it (proof of concept),
  • any potential impact you see.

If you can, also mention:

  • OS / platform (e.g. iOS 18, macOS 15, Ubuntu 22.04),
  • version/commit of the project you tested.

We prefer plain text or simple Markdown reports.

3. What we do with your report

We will:

  1. Acknowledge receipt of your report as soon as reasonably possible.
  2. Analyse and verify the issue.
  3. Plan a fix or mitigation where appropriate.
  4. Decide how and when to disclose the issue publicly.

If you wish, we can credit you in release notes or security advisories,
unless you prefer to remain anonymous.

4. Scope & principles

Please:

  • Do not use security issues to access, modify or delete data that does not belong to you.
  • Do not perform denial-of-service attacks.
  • Do not exploit issues beyond what is necessary to demonstrate them.

CollectiVAI is an independent, small-scale project.
We cannot offer monetary bug bounties at this time,
but we deeply appreciate responsible disclosure and will credit your help.

5. Out of scope

The following are generally out of scope:

  • vulnerabilities in third-party dependencies that we do not control,
    (but feel free to highlight them so we can update/patch),
  • issues that require physical access to a local test machine,
  • social engineering attacks against individuals.

If you are unsure whether something is in scope, you can still send a short email
and ask before going deeper.

Thank you for helping to keep CollectiVAI safe and trustworthy.

There aren’t any published security advisories