Please do not file a public ticket mentioning the vulnerability.

If you identify vulnerabilities with any Mezo code, please email security@mezo.org with relevant information to your findings. We will work with researchers to coordinate vulnerability disclosure between our stakers, partners, and users to ensure the successful mitigation of vulnerabilities.

Throughout the reporting process, we expect researchers to honor an embargo period that may vary depending on the severity of the disclosure. This ensures that we have the opportunity to fix any issues, identify further issues (if any), and inform our users.

Sometimes vulnerabilities are more sensitive in nature and require extra precautions. We are happy to work together to use a more secure medium, such as Signal. Email security@mezo.org and we will coordinate a communication channel that we're both comfortable with.

The Mezo team will make a best effort to respond to a new report within 48 hours. This response may be a simple acknowledgement that the report was received, or may be an initial assessment from the team. Unless the report is assessed as irrelevant or incorrect, this response will include expected next steps and communication time frames from the team.

The Mezo team will try to make an initial assessment of a bug's relevance, severity, and exploitability, and communicate this back to the reporter.