Do not disclose suspected vulnerabilities in public issue trackers.

Report security findings privately to: security@aoxchain.io.

Include, at minimum:

• affected component(s),
• reproduction procedure or proof-of-concept,
• impact statement (safety, funds, availability, integrity),
• suggested mitigations if available.

• Acknowledge receipt within 24 hours.
• Perform technical triage and severity assignment.
• Coordinate mitigation and release strategy based on impact class.
• Publish advisory notes after risk containment.

• Consensus safety/liveness violations.
• State transition determinism failures.
• Signature/key lifecycle vulnerabilities.
• RPC/network abuse pathways.
• Privilege-escalation or persistence boundary bypasses.

Security assurance in AOXChain is evidence-driven and iterative. No absolute security guarantee is made.

This repository is provided under MIT on an "as is" basis, without warranties or liability assumptions by maintainers or contributors.