# Responsible Disclosure & Reporting ## 5.1 Responsible Disclosure & Reporting Modulexo is public on-chain infrastructure. All contract code and state are publicly verifiable. This section defines the reporting channel for technical vulnerabilities and governance-level issues. *** ## I. Scope of Reporting Responsible disclosure applies to: • Smart contract vulnerabilities\ • Logic inconsistencies\ • Access control flaws\ • Reentrancy exposure\ • Upgradeability misconfiguration\ • Governance bypass vectors\ • Incorrect documentation of control state It does not apply to: • Market volatility\ • Economic dissatisfaction\ • Participation regret\ • Token price movements\ • Distribution expectations Only technical issues fall under disclosure scope. *** ## II. Disclosure Channel Security reports must be submitted to: ``` security@[project-domain] ``` (Replace with official domain email.) Reports should include: • Contract address\ • Chain ID\ • Transaction hash (if applicable)\ • Reproduction steps\ • Impact description Optional: • Proof-of-concept\ • Suggested mitigation Anonymous disclosure is permitted. PGP encryption may be supported (optional, if provided). *** ## III. Disclosure Process Upon receipt: 1. Report is acknowledged. 2. Technical validity is assessed. 3. If confirmed: * Mitigation path determined * Governance escalation initiated (if required) 4. Public disclosure timing coordinated if necessary. There is no bounty program unless explicitly stated elsewhere. There is no compensation guarantee. *** ## IV. Governance Escalation If a vulnerability affects governance-controlled contracts: Escalation path is: 1. Governor proposal creation 2. Vote 3. Timelock execution Emergency action may be limited by: • Ownership state\ • Upgradeability model\ • Timelock delay All actions are on-chain and publicly visible. *** ## V. Limitations Modulexo: • Does not guarantee immediate remediation\ • Does not guarantee compensation\ • Does not reverse irreversible transactions\ • Does not provide financial restitution Disclosure improves system integrity.\ It does not alter participation outcomes. *** ## VI. Public Monitoring All critical events are observable via: • `Recycled`\ • `Claimed`\ • `Sponsored`\ • `AssetSet`\ • `OwnershipTransferred`\ • `ProposalExecuted` Independent monitoring is encouraged. *** ## VII. Reporting Boundaries This channel is not for: • Customer service\ • Refund requests\ • Legal disputes\ • Off-chain agreements Technical issues only.