We take security seriously. If you discover a security vulnerability in ResonantOS, please help us by reporting it responsibly.
Security vulnerabilities should never be reported through public GitHub issues.
Please report security issues through one of these private channels:
- Email: manolorem@gmail.com
- Discord: Direct message @ManoloRemiddi
- GitHub: Use GitHub's private vulnerability reporting feature
Please provide:
- Description β Clear explanation of the vulnerability
- Impact β What could an attacker do?
- Reproduction Steps β How to reproduce the issue
- Affected Versions β Which versions are vulnerable
- Suggested Fix β If you have ideas (optional)
- 48 hours β Initial response acknowledging receipt
- 7 days β Assessment and severity classification
- 30 days β Target for fix and disclosure (may vary by severity)
ResonantOS is designed with security in mind:
- No Cloud Dependencies β Everything runs on your machine
- No Telemetry β We don't track usage or phone home
- Your Data Stays Yours β No external data collection
We implement multiple security layers:
- Shield β 14 blocking security layers, file protection, YARA scanning (active)
- Logician β Policy engine with 285+ facts, Mangle/Datalog rules (active)
- Guardian β Self-healing and incident recovery (design phase)
- File Locking β OS-level immutable flags for critical files
- All dependencies are reviewed
- No arbitrary code execution from external sources
- Sanitization before any public releases
- Regular security audits
- File Locking: Critical documents protected via OS-level immutable flags (
chflags uchgon macOS/BSD) - Sanitization Auditor:
tools/sanitize-audit.pyscans for leaked secrets before public releases - Local Execution: All code runs locally, no external API calls without user consent
- Guardian: Anomaly detection, self-healing, incident recovery
ResonantOS is in alpha. Current limitations:
- Guardian is not yet complete
- Limited sandboxing for AI operations
- File locking requires manual setup
- No formal security audit yet
Use in production at your own risk. This is experimental software.
Security fixes are our highest priority:
- Critical: Patched immediately, released within 24-48h
- High: Patched within 7 days
- Medium: Patched in next regular release
- Low: Documented, fixed when feasible
- Watch this repository for security advisories
- Join our Discord for announcements: https://discord.gg/MRESQnf4R4
- Check releases for security patches
The Resonant Chamber DAO uses Solana blockchain:
- Soulbound Tokens ($RCT): Non-transferable, prevents trading attacks
- Multi-sig Treasury: Requires multiple approvals for fund movements
- Transparent Governance: All votes are on-chain and auditable
- Time Locks: Major changes require 7-day voting period
We appreciate responsible disclosure. Contributors who report valid security issues will be:
- Credited in release notes (if desired)
- Awarded $RCT governance tokens
- Recognized in the community
Security is a journey, not a destination. Help us build something secure together.
Thank you for helping keep ResonantOS safe.