If you discover a security vulnerability in Title Protocol, please report it responsibly.
Preferred method: GitHub Security Advisories
Alternative: Email contact@titleprotocol.org
Please do NOT:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
The following components are in scope for security reports:
| Component | Description | Examples |
|---|---|---|
| TEE Server | Trusted Execution Environment server | Key extraction, attestation spoofing, memory isolation bypass |
| Gateway | HTTP API server | Request forgery, authorization bypass, SSRF |
| Processors | Attribute extraction modules | Memory safety, input validation, hash collision exploitation |
| Cryptography | Encryption suites and key management | Key derivation flaws, nonce reuse, weak randomness |
| Solana Extension | On-chain integration | ZK proof bypass, whitelist manipulation, unauthorized minting |
Build and test instructions for the Solana program and SP1 guest are in CONTRIBUTING.md.
legacy/-- Archived code, not deployeddocs/-- Documentation only
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Triage & severity assessment | Within 7 days |
| Fix for Critical/High | Best effort, typically within 30 days |
| Fix for Medium/Low | Next planned release |
- Critical: Key extraction from TEE, attestation forgery, full authentication bypass
- High: Unauthorized cNFT minting, whitelist manipulation, content data exfiltration
- Medium: Denial of service (OOM, resource exhaustion), information disclosure of non-sensitive data
- Low: Minor issues with limited impact
We appreciate responsible disclosure and will acknowledge security researchers in release notes (with permission).