Responsible Disclosure

If you find a security vulnerability in Lateo, please report it responsibly.

Contact

Email: security@lateo.network

What to report

• Vulnerabilities in the Soroban smart contracts
• Flaws in the Circom circuit constraints
• Privacy leaks in the proxy server (data that should be hidden but isn’t)
• Cryptographic weaknesses in key derivation, commitment scheme, or nullifier construction
• Authentication bypasses
• Any way to steal funds or break privacy guarantees

What NOT to report

• Issues in third-party dependencies (report upstream)
• Theoretical attacks that require quantum computing
• Social engineering scenarios
• Issues already documented in the Security Model page

Response

We commit to:

• Acknowledging receipt within 48 hours
• Providing an initial assessment within 7 days
• Coordinating a fix before public disclosure
• Crediting the reporter (unless anonymity is requested)