Bugs in monero-oxide which cause a downstream project to be at risk of loss of funds (or a similarly critical issue) are to be reported via monero-oxide's Bug Bounty Program. This bug bounty was generously sponsored by Power Up Privacy who directly handles payouts.

All affected projects should be privately disclosed to via their stated disclosure method (or any private means of communication upon lack of stated disclosure method).

All projects, including monero-oxide, should be informed of if multiple projects were disclosed to, without permission to make a public disclosure until all projects resolve the issue.

Bugs which cause panics, or a similar denial-of-service, are to be reported to the administrators (via Matrix) and the affected downstream projects (again via their stated disclosure methods).

A public disclosure will only occur once monero-oxide releases a fix.

All other bugs are to be reported via the GitHub issues of the monero-oxide repository. If the severity of a bug is in-question, it must be treated as its highest potential severity.

Any bug within monero-oxide may be publicly disclosed three months after the date of its responsible disclosure to the monero-oxide project, regardless of its status. Prior to this deadline, any disclosed to party may request an extension of up to 60 days. If the discloser agrees to that extension, they must notify all disclosed-to parties of the new timeline and all must honor it. If the discloser does not agree, they must explicitly inform the requester of their disagreement.