Security incidents

We publish a public summary quarterly: Jan, Apr, Jul, Oct. Each summary covers the previous three months.

Within each summary we report:

• Number of P0 (critical) and P1 (high) issues closed
• Number of P2 (medium) issues closed
• Number of P3 (low) issues risk-accepted with rationale
• Vendor pentests run during the period
• Researcher acknowledgements (with consent)

We do not publish:

• Reproducers, payloads, or fix commit SHAs
• Customer-identifying details
• Findings still under embargo (90-day responsible disclosure window)

Q2 2026 (Apr–Jun) — to be published 2026-07-15.

meandai launches in beta during this quarter. The first public summary will cover the period from beta launch to end of June 2026 and will include findings from the first external pentest cycle (Securitum web/API + Cure53 AI scope) plus internal red-team passes.

No prior public summaries published yet — meandai is pre-launch at the time of writing.

Pre-launch security work (W14–W19 audit chain, Track 0 daily gates, internal red-team baseline) is documented in our public engineering log under /docs/security once the repo’s public mirror is live.

If you’ve found something we should know about, please use responsible disclosure or the bug bounty program. Don’t open a public GitHub issue or post on social — give us a chance to fix first.