We greatly welcome security audits and analysis of our projects.
We are happy to work with you in assessing potential issues and in developing effective secure solutions.
Should you find anything of concern, please feel free to email us at security@mobilecoin.com. We appreciate responsible disclosure and are happy to collaborate on timed announcements to credit you for your research discovery.
Anything in /vendor is out-of-scope from our perspective, although
we are happy to help coodinate talking to the respective parties in
control of upstream maintenance of works and/or libraries which we
depend upon.
Also out-of-scope is hardware security issues with particular devices. For example, should a certain chipset utilised by a vendor be subject to timing attacks, fault injection attacks, etc., this is not within scope.