Responsible Disclosure

In scope

• Testnet contracts on Arbitrum Sepolia:
  • Plinth (margin engine)
  • Vigil (liquidation engine)
  • Coffer (ERC-4626 vault)
  • Sigil (agent mandates)
  • Aqueduct, Postern, Portico, Edict, Praetor
• Atrium app at useatrium.me
• Codex API at atrium-codex.prtk8899.workers.dev (live)
• Tablet API at tablet.useatrium.me (when behind auth)

Out of scope

• Front-end UI bugs without security impact
• Social engineering attacks
• Third-party services (Vercel, Cloudflare, Sentry)
• Theoretical risks already documented in audits/
• Dependencies under resources/ (report upstream)

Priority

Reports are prioritized by impact, exploitability, affected surface, and quality of reproduction.

• Critical: fund loss, unauthorized admin action, contract takeover.
• High: privilege escalation, incorrect accounting, exploitable denial of service.
• Medium: information disclosure, bypassable limits, user-impacting security flaws.
• Low: hardening issues and best-practice gaps without direct exploitability.

Disclosure process

• 90-day responsible disclosure window.
• Report to security@useatrium.me.
• Include steps to reproduce, affected route or contract, impact, and any transaction hashes.
• We acknowledge within 48 hours and prioritize by severity.
• Do not publicly disclose until the 90-day window expires or we publish a fix.

Hall of fame

Researchers who responsibly disclose are credited at /security/hall-of-fame.