# Security & Governance Exploit Policy

This repository has two distinct attack surfaces, and we treat both as
security-critical:

1. **The tooling** — `govtool`, the CI workflows, the ledger and signature
   code. Bugs here can forge votes, corrupt the ledger, or let an unratified
   change merge.
2. **The constitutional text itself** — wording under `constitution/` that a
   faction could exploit *while following the rules exactly as written*. A
   quorum definition that lets 3 people speak for 300, an emergency clause
   with no sunset, an ambiguity in tally rules — these are vulnerabilities in
   the precise sense this project uses the word.

## Reporting

**Please do not open a public issue for either category before disclosure.**
A governance exploit published before a fix is ratified is live ammunition:
unlike a code patch, a constitutional fix requires a vote window and cannot
ship in hours.

- Use GitHub's **private vulnerability reporting** on this repository
  (Security tab → "Report a vulnerability"), which works for both tooling
  bugs and text exploits.
- Include: the exact files/articles or code paths involved, a step-by-step
  scenario (who does what, in what order), and the outcome the attacker
  achieves. For text exploits, the scenario format in `docs/pipeline.md`
  (actors, actions, expected vs. actual outcome) is ideal.

## What happens to a confirmed report

- **Tooling bug:** fixed in code, released, and covered by a regression test
  in `tests/` before the advisory is published.
- **Text exploit:** an amendment PR is drafted to close the hole, and the
  exploit scenario is added as a **permanent regression test** so no future
  amendment can silently reintroduce it. This is a standing constitutional
  commitment, not just project policy: every exploit found becomes part of
  the test suite forever. Reporters are credited in the amendment's rationale
  unless they ask not to be.
- **Severity triage** uses one rule above the others: how badly does the
  worst-off participant fare if the exploit is executed? An exploit that
  disenfranchises a minority outranks one that merely delays a vote.

## Out of scope

- Hypotheticals that require breaking the rules outright (e.g. "an admin
  edits the ledger by hand") are governance *enforcement* questions, tracked
  as ordinary issues — the ledger's hash chain and signature checks are
  designed to make such tampering evident, not impossible.
- Vulnerabilities in GitHub itself or in upstream dependencies should go to
  those projects; tell us too if our usage amplifies them.

## Supported versions

Only the tip of `main` (the current ratified constitution version recorded in
`constitution/version.yaml`) and the latest released `govtool` are supported.
Forks created with the fork tooling are responsible for their own triage, but
exploits in shared kernel text should be reported here so every downstream
fork can pick up the fix.