# Responsible disclosure Reports should be submitted via email to . Reports may be submitted anonymously and/or encrypted per instructions below. * All bug reports must be fixed and paid **BEFORE** being published. * Whitehats may NOT publish information about reports rejected as being a duplicate or known issue. * Whitehats may NOT publish information during the mediation process. * Bug report intellectual property remains with the whitehat. Right of publication, however, is determined by whichever publication category the project chooses. * Astaria will investigate legitimate reports and make every effort to quickly resolve any vulnerability. Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services. Note that Astaria **requires notice** prior to publishing any findings: * Whitehats may publish information about their fixes and paid bug reports provided that they give projects 21 days to review and provide input about the publication in the bug report submission thread before they publish. * Whitehats do NOT need to provide notice prior to publishing information about payment amount, severity, or high-level classification of the bug type (e.g. reentrancy), as long as they do not mention or indicate the project to which it was reported. * The notice requirement does NOT apply to Whitehats publishing information about reports that have not been resolved within 90 days of escalation, unless a mediation process is ongoing. In those instances, the Whitehat may disclose information pertaining to that bug report without restriction. If you have any questions or concerns about about Astaria's disclosure policy, please contact us via [Twitter](https://twitter.com/AstariaXYZ), [Discord](https://discord.gg/Bp9Rjr65mZ), or email (). If your messages contain sensitive information, you may encrypt using our PGP key: ``` $ curl https://astaria.xyz/publickey.asc | gpg --import $ gpg --output document.gpg --encrypt --recipient security@astaria.xyz document ``` You may verify the authenticity of the `security.txt` file using the following commands: ``` $ curl https://astaria.xyz/publickey.asc | gpg --import $ curl https://astaria.xyz/.well-known/security.txt $ gpg --verify security.txt gpg: Signature made Thu Sep 21 23:31:22 2023 EDT gpg: using RSA key 0DA3BCC19A7E3197657425BDEFFB32CB832E56AD gpg: issuer "security@astaria.xyz" gpg: Good signature from "Astaria " [ultimate] ``` Thank you for helping us keep Astaria safe! Updated: 2024-01-24 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.astaria.xyz/security/responsible-disclosure.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.