Skip to content

Security Policy

How the Autheo Foundation protects the network, responds to vulnerabilities, and partners with the security community to keep the ecosystem safe.

Last Updated: April 1, 2026

I. Introduction

The Autheo Foundation ("Foundation," "we," "us," or "our") treats security as a foundational responsibility. The Autheo network handles identity, cross-chain communication, and on-chain AI infrastructure — systems where a single vulnerability can have significant consequences for users, validators, and the broader ecosystem. We take that responsibility seriously.

This Security Policy describes our approach to protecting the Autheo ecosystem, how we work with external security researchers, what systems are in scope, and the standards we hold ourselves and our partners to. It complements but is separate from our Responsible Disclosure Policy, which governs the specific process for reporting vulnerabilities to the Foundation.

II. Security Principles

The Foundation's security posture is guided by four core principles:

  • Defense in Depth — No single control is relied upon exclusively. We layer protections across the protocol, smart contract, infrastructure, and application tiers so that a failure at one layer does not compromise the whole system.
  • Least Privilege — Access to sensitive systems, keys, and configuration is granted on a strictly need-to-know basis and reviewed regularly. Elevated permissions are time-limited and logged.
  • Transparency — We believe the security community is stronger when vulnerabilities are disclosed responsibly and remediation is communicated publicly. We publish security advisories for all confirmed vulnerabilities once remediation is complete.
  • Continuous Improvement — Security is not a one-time exercise. We engage third-party auditors, run an active bug bounty program, and conduct internal security reviews on a recurring cadence.

III. Scope of This Policy

This policy applies to all security-relevant aspects of the Autheo ecosystem maintained by the Foundation, including:

  • Core Protocol — The consensus engine, validator infrastructure, state machine, block production and finality logic, and all foundational blockchain components of the Autheo Layer-0 and Layer-1 network.
  • Smart Contracts — System contracts, bridge contracts, governance contracts, and any on-chain programs deployed or maintained by the Foundation.
  • IBC Module — The Inter-Blockchain Communication protocol implementation, including packet routing, relay logic, channel authentication, and cross-chain state verification.
  • AutheoID — The decentralized identity framework, including credential issuance, on-chain identity resolution, verifiable credential verification, and associated key management.
  • Eigensphere AI — On-chain AI inference modules, model integrity verification, computational resource management, and related infrastructure.
  • Network Infrastructure — Validator nodes, RPC endpoints, block explorer, testnet infrastructure, faucet services, and any other Foundation-operated network services.
  • Web Properties — The Foundation's public-facing websites (including autheofoundation.org), grant and ambassador application systems, APIs, and associated backend services.
  • Developer Tooling — SDKs, CLI tools, client libraries, and documentation systems maintained by the Foundation.

IV. Security Standards and Practices

A. Code and Protocol Security

All protocol-level changes and smart contract deployments follow a multi-stage review process:

  • Internal review — All code changes require peer review from at least one senior engineer before merging to main development branches.
  • Automated testing — Comprehensive unit, integration, and fuzz test suites run on every pull request. Security-relevant test coverage is tracked separately.
  • Third-party audits — Major protocol upgrades and new smart contract deployments are audited by independent security firms prior to mainnet deployment. Audit reports are published publicly.
  • Formal verification — Where feasible, critical smart contract logic is subject to formal verification to provide mathematical guarantees of correctness.

B. Infrastructure Security

The Foundation applies industry-standard controls to its infrastructure:

  • All production systems use encrypted communications (TLS 1.2 minimum, TLS 1.3 preferred) and are not accessible via unencrypted protocols.
  • Access to production infrastructure requires multi-factor authentication. Privileged access is managed through dedicated identity providers with full audit logging.
  • Secrets, private keys, and credentials are never stored in source code repositories. Key management follows hardware security module (HSM) best practices for high-value keys.
  • Systems are patched and updated on a regular cadence. Critical patches are applied on an expedited basis following vendor disclosure timelines.
  • Network segmentation isolates production, staging, and development environments. Production systems are not reachable from development workstations without explicit, time-limited approval.

C. Incident Response

The Foundation maintains a documented incident response plan. In the event of a confirmed security incident:

  • The security team is notified immediately and a severity assessment is performed within two hours of initial detection.
  • For incidents affecting network integrity or user funds, an emergency governance process can be invoked to pause affected contracts or infrastructure components pending remediation.
  • Affected users and ecosystem participants are notified as soon as practical, with full transparency about the nature of the incident and steps taken.
  • A post-incident review is conducted within 30 days and findings are shared publicly, including root cause and remediation steps taken.

V. Third-Party and Ecosystem Security

The Foundation's security standards extend to the partners and projects we work with:

  • Grant recipients — Projects that receive Foundation grants building on the Autheo network are expected to implement reasonable security practices commensurate with the assets and users they handle. We provide security guidance and access to audit resources as part of the grant program.
  • Validators — Validator operators are expected to follow the Foundation's published validator security guidelines, including key management best practices, infrastructure hardening, and incident reporting obligations.
  • Bridge operators — Projects operating bridges to or from the Autheo network are strongly encouraged to conduct independent security audits before launch and to participate in the Foundation's coordinated disclosure process for cross-chain vulnerabilities.
  • Dependencies — The Foundation actively monitors security advisories for all significant dependencies in the Autheo codebase and responds to upstream vulnerabilities in a timely manner.

VI. Security Audits

The Foundation publishes all completed third-party security audit reports on our website and in our public GitHub repositories. Audit reports include the scope of the engagement, findings by severity, and the Foundation's response to each finding.

We engage auditors with demonstrated expertise in blockchain security, smart contract analysis, and distributed systems. Auditors are selected through a competitive process and rotate on a regular cadence to ensure independent perspective.

Audit reports and their remediation status can be found in the Developer section of this website. If you have questions about a specific audit finding, contact security@autheofoundation.org.

VII. Bug Bounty Program

The Autheo Foundation operates an active bug bounty program to reward security researchers who identify vulnerabilities in our systems before they can be exploited. The program covers the full scope of systems listed in Section III above.

Reward amounts are based on the severity of the vulnerability:

  • Critical — Up to $100,000: Vulnerabilities that could result in loss of funds, total network compromise, or severe data breach affecting large numbers of users.
  • High — Up to $25,000: Significant vulnerabilities with material impact on network integrity, user security, or protocol correctness.
  • Medium — Up to $5,000: Vulnerabilities with limited impact or requiring specific conditions to exploit.
  • Low — Up to $1,000: Minor issues, best-practice deviations, or informational findings with low exploitability.

To be eligible for a reward, reports must be submitted in accordance with our Responsible Disclosure Policy, must describe a previously unknown vulnerability, and must include sufficient information to reproduce and triage the issue. Only the first reporter of a given vulnerability is eligible for a reward.

The Foundation reserves the right to adjust reward amounts based on report quality, impact assessment, and the novelty of the vulnerability class. Duplicate reports, out-of-scope submissions, and reports that violate the terms of the Responsible Disclosure Policy are not eligible for rewards.

VIII. Severity Classification

The Foundation uses the following framework to classify vulnerability severity, aligned with industry standards including the Common Vulnerability Scoring System (CVSS):

  • Critical — Remote code execution, theft or loss of user funds, consensus-breaking bugs, total network halt from a single transaction or packet, or complete compromise of a Foundation-controlled system. Requires immediate escalation and emergency response.
  • High — Significant privilege escalation, partial network disruption, material degradation of validator performance, smart contract logic bypasses that compromise intended behavior, or substantial data exposure affecting multiple users.
  • Medium — Limited-scope privilege escalation, denial-of-service attacks requiring sustained effort, vulnerabilities requiring user interaction, or issues that degrade user experience without direct financial impact.
  • Low — Best-practice deviations, minor misconfigurations, informational findings, or issues with very low exploitability and negligible impact.

IX. Security Advisories

When a vulnerability is confirmed and remediated, the Foundation publishes a security advisory. Advisories include:

  • A unique advisory identifier (format: AUTHEO-YEAR-SEQ)
  • Description of the vulnerability and affected components
  • Severity classification and CVSS score where applicable
  • Affected versions and the version in which the fix was released
  • Recommended action for users, validators, and node operators
  • Credit to the reporting researcher (with their permission)

Security advisories are published on our GitHub repository and announced via the Foundation's official communication channels. To receive advisories by email, subscribe to the Foundation's security mailing list at security@autheofoundation.org.

X. Hall of Fame

The Autheo Foundation maintains a public Security Hall of Fame recognizing researchers who have made significant contributions to the security of the Autheo ecosystem through responsible disclosure. Recognition is awarded at the researcher's discretion — we will always ask before publishing a name or pseudonym.

Contributions recognized in the Hall of Fame include confirmed critical and high severity vulnerabilities, novel vulnerability research affecting the Autheo protocol, and exceptional quality security reports that materially advance our understanding of the threat landscape.

XI. Prohibited Activities

The following activities are prohibited under this policy and under our Responsible Disclosure Policy, regardless of intent:

  • Denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against any Foundation-operated infrastructure or the Autheo network.
  • Physical security testing, social engineering, phishing, or vishing attacks against Foundation personnel, validators, or community members.
  • Testing against mainnet infrastructure. All testing must be conducted on local environments or the Autheo testnet.
  • Accessing, exfiltrating, or disclosing data belonging to other users, validators, or third parties.
  • Exploiting a vulnerability beyond what is strictly necessary to demonstrate its existence.
  • Publicly disclosing an unpatched vulnerability prior to remediation and coordinated disclosure.
  • Automated scanning that generates significant traffic burdens on Foundation services.

Violations of these prohibitions may result in disqualification from the bug bounty program and, where applicable, referral to law enforcement. Good faith security research conducted in compliance with this policy and our Responsible Disclosure Policy will not be subject to legal action by the Foundation.

XII. Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any Autheo Foundation system, please report it by following the process described in our Responsible Disclosure Policy. Send reports to security@autheofoundation.org. For sensitive or high-severity reports, we encourage PGP encryption using the key published at autheofoundation.org/.well-known/security.txt.

We acknowledge receipt of all reports within 48 hours and provide an initial triage assessment within 5 business days.

XIII. Changes to This Policy

The Autheo Foundation reserves the right to modify or update this Security Policy at any time. Changes will be reflected on this page with an updated "Last Updated" date. Material changes will be announced via the Foundation's official communication channels. We encourage you to review this policy periodically.

XIV. Contact

For security-related questions, vulnerability reports, or inquiries about this policy, contact the Autheo Foundation Security Team:

Autheo Foundation — Security Team
Email: security@autheofoundation.org
PGP Key: autheofoundation.org/.well-known/security.txt
Responsible Disclosure: autheofoundation.org/pages/disclosure