Do not open a public issue. Email oss-security@spl.team and CC both vipin@spl.team and dudcom@spl.team.

Include enough detail to reproduce the issue. Proof of concept code or steps to trigger the bug are ideal. We'll confirm receipt within 48 hours and work with you on a fix timeline.

SPL started as a CTF team, so running a bounty program for our own stuff felt like the obvious thing to do. If you find a real vulnerability in CCP, we want to reward that.

Rewards include cash bounties starting at $20, T-shirts, SPL merch, and other prizes. Severity classification, prize selection, and reward amounts are at the maintainers' discretion. Prizes are subject to availability and no specific prize is guaranteed.

Valid reports are credited in the HALL-OF-FAME.md.

• Give us reasonable time to fix the issue before disclosing publicly.
• One vulnerability per report.
• Submissions that are clearly generated by AI without meaningful human review will result in a permanent ban from all future SPL open-source bounty programs.

Anything in this repository is in scope: the server, client, protocol crate, MCP bridge, install script, Docker configuration, and CI pipeline.

Out of scope: social engineering, denial of service against infrastructure you don't own, and issues in third-party dependencies that aren't specific to how CCP uses them.