If you discover a security vulnerability in the MirrorDNA protocol specification, schemas, validator, or reference implementation, please report it responsibly.

DO NOT open a public GitHub issue for security vulnerabilities.

Email: security@activemirror.ai

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Affected component (schema, validator, spec, runtime)
• Severity assessment (Critical / High / Medium / Low)

• Acknowledgement: Within 48 hours of receipt
• Initial Assessment: Within 5 business days
• Resolution Target: Within 30 days for Critical/High severity

• Vulnerabilities exposing user identity data or enabling unconsented identity drift are treated as Critical.
• We follow coordinated disclosure. Please allow 90 days before public disclosure.
• Contributors who report valid vulnerabilities will be credited (unless anonymity is requested).

MirrorDNA is designed as a local-first protocol. The user holds identity keys and data. This architectural choice mitigates many classes of remote exploitation.