The security of our users' traffic is the highest priority for the EdgeRay project. If you find a security vulnerability, we appreciate your help in disclosing it to us responsibly.
If you have discovered a security bug, please DO NOT open a public issue. Instead, please report it to us via one of the following methods:
- Direct Email: Send a detailed report to security@edgeray.io.
- Private Message: Reach out to the project maintainers on the official Discord/Telegram channels.
We aim to acknowledge all reports within 48 hours and provide a timeline for a fix within 7 days.
The scope of this policy includes:
- rustray engine: Encryption or proxy protocols.
- edgeray-app desktop client: IPC and local permissions handling.
- rr-ui management panel: Authentication and data persistence.
Vulnerabilities that are out of scope:
- Weakness in external dependencies (though we'd appreciate the notice).
- Standard TLS certificate renewal issues.
- Misconfiguration of user servers by the node operator.
While we currently do not have a formal financial bug bounty program, we are happy to publicly acknowledge researchers who help us identify and fix critical vulnerabilities (with your permission) and add you to our Hall of Fame.
EdgeRay Team Building a safer and freer internet.