Skip to content
Mog is in active development. The GitHub repo, SDK packages, and community channels are not yet available. Follow for launch updates
DocsAPIEcosystemBlogCommunityPlayground
စတင်မည်

Security Policy

We take the security of Mog and its users seriously. This page describes how to report vulnerabilities and what to expect.

Reporting a Vulnerability

If you discover a security vulnerability in Mog, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.

Email [email protected] with a detailed description of the vulnerability, steps to reproduce, and any relevant proof-of-concept code.

Response Timeline

48 hoursWe will acknowledge receipt of your report and assign a tracking identifier.
7 daysWe will complete an initial assessment of the vulnerability, confirm its validity, and communicate our findings to you.
90 daysWe aim to release a fix within 90 days of the initial report. We will coordinate with you on disclosure timing.

Scope

In scope

  • Rust compute engine (compute-core)
  • Node.js, Python, and browser SDKs
  • WebAssembly bindings and bridge framework
  • The sheetmog.ai website and its infrastructure
  • Collaboration server and CRDT transport layer

Out of scope

  • Social engineering attacks against maintainers or users
  • Denial of service (DoS/DDoS) attacks
  • Vulnerabilities in third-party dependencies (report these to the upstream project)
  • Issues that require physical access to a device
  • Spam, phishing, or other non-technical attack vectors

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized, and we will not pursue legal action against researchers acting in good faith. Specifically:

  • We will not initiate legal action against researchers who report vulnerabilities in compliance with this policy.
  • We will not pursue claims under the Computer Fraud and Abuse Act (CFAA) or equivalent laws for good-faith security research.
  • If a third party initiates legal action against you for research conducted under this policy, we will make it known that your actions were authorized.

Recognition

We believe in recognizing the work of security researchers who help keep Mog safe. Contributors who report valid vulnerabilities will be credited in our security advisories and release notes — unless they prefer to remain anonymous.

We do not currently offer a monetary bug bounty program, but we are evaluating this for the future.

PGP Key

A PGP public key for encrypting sensitive vulnerability reports will be available at launch. In the meantime, please send reports to [email protected] and we will establish a secure channel if needed.