Found something? Tell us first.
We respond to security reports within 24 hours. Coordinate disclosure, get a CVE if applicable, and you stay anonymous unless you want credit.
How to report
Send to security@openkarta.org. Encrypt with our PGP key (fingerprint published in security.txt) for sensitive details.
Include
Reproduction steps, affected version, your environment, and impact. Proof-of-concept code or HTTP traces are very welcome.
We respond
Acknowledge in 24 hours. Triage and a fix-by date in 72 hours. Public advisory once a patch is available.
Scope
- api.openkarta.org — registry API
- registry.openkarta.org — registry web app
- openkarta.org — landing site
- Reference agents at *.fly.dev that are operated under the OpenKarta umbrella
- @openkarta/* npm packages on the public registry
- Third-party merchant agents listed in the registry — report to the merchant directly
- LLM-vendor endpoints (OpenRouter, OpenAI, Anthropic, etc.)
- Self-XSS, social engineering, physical attacks, or DoS without a working exploit
- Issues that require a privileged position on the user's device or network
Safe-harbor
We will not pursue legal action against good-faith security research, provided you:
- → Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
- → Do not access more data than is necessary to demonstrate the issue.
- → Give us a reasonable time to respond before public disclosure (typically 90 days).
- → Do not exploit findings beyond proof of concept.
Reading the wire-format spec for free is the best bug-hunting prep.
Closed enums, signed quotes, and the user-token delegation system are the highest-leverage areas for review. We particularly value reports against signature handling and quote replay.
Read the spec