We take security seriously. If you discover a security vulnerability in the Lithosphere protocol, explorer, APIs, or any associated infrastructure, please report it responsibly.

• Email: security@litho.ai
• Subject line: [SECURITY] <brief description>
• Include: Steps to reproduce, affected components, potential impact, and any suggested fixes

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours.
2. Assessment: Our team will assess the severity and impact within 5 business days.
3. Resolution: We will work on a fix and coordinate disclosure with you.
4. Credit: With your permission, we will credit you in the security advisory.

The following are in scope for responsible disclosure:

• Lithosphere node software (lithod)
• Explorer and block explorer APIs (makalu.litho.ai)
• Public RPC endpoints (rpc.litho.ai, api.litho.ai)
• Smart contract standards (LEP100)
• SDKs and developer tools

• Denial-of-service attacks against production infrastructure
• Social engineering of team members
• Third-party services not operated by Lithosphere

• Do not publicly disclose the vulnerability before we have had a chance to address it.
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Do not access or modify data belonging to other users.

Lithosphere is actively pursuing third-party security audits. Completed audit reports will be published here with scope statements and remediation status as they become available.