Security & Responsible Disclosure

AXIOMAX LLC takes the security of AXIOMAX ESG Carbon Shield seriously. We welcome security researchers and reward good-faith disclosure.

Report a vulnerability

Email [email protected]. Do not file public GitHub issues for security vulnerabilities.

Initial acknowledgment within 24 hours. Coordinated disclosure following responsible disclosure principles.

Cryptographic foundations

• ed25519 digital signatures (RFC 8032)
• SHA-256 hash chaining (FIPS 180-4)
• Argon2id passphrase-derived keys (RFC 9106)
• AES-256-GCM at-rest encryption (NIST SP 800-38D)
• LUKS2 full-volume encryption

Scope

In scope: cryptographic protocol vulnerabilities, reference verifier bugs leading to incorrect VALID/INVALID results, public infrastructure security issues, authentication bypass, privacy leaks.

Out of scope: physical access to client hardware, social engineering, DoS attacks, issues in third-party services (Cloudflare, GitHub, Hetzner).

Bug bounty

Critical findings (signature forgery, hash collision attack, master key compromise) qualify for a monetary bug bounty on a case-by-case basis. All verified findings receive public credit unless the researcher prefers anonymity.

Hall of Fame

Researchers who report verified vulnerabilities in good faith will be acknowledged here.

AXIOMAX LLC · La Margarita LL F34 · Salinas Puerto Rico 00751 · Patent Pending USPTO 64/081,419