The RootstockCollective team and community take security vulnerabilities very seriously. Although this project is currently in its bootstrapping phase (MVP) and falls outside the scope of a Bug Bounty Program, we sincerely appreciate your responsible disclosure and will make every effort to acknowledge your contributions.

For all security related issues, use the GitHub Security Advisory "Report a Vulnerability" tab.

The RootstockCollective team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.

Ensure the bug has not already been reported by searching on GitHub under Issues.

RootstockCollective will make its best effort to meet the following response times for reported vulnerabilities:

• Time to first response (from report submission) - 5 business days
• Time to triage (from report submit) - 7 business days

We'll try to keep you informed about our progress throughout the process.

• Public disclosure of a vulnerability makes it ineligible for a bounty.