Security policy
April 26, 2026 · View on GitHub
If you believe you've found a security vulnerability in any Larkin package, please do not open a public issue. Instead, email security@larkin.sh with details.
What we promise
- Acknowledgment within 48 hours.
- A fix or mitigation plan for critical issues within 14 days.
- Credit in the published advisory unless you ask to be anonymous.
We do not currently operate a paid bug bounty program.
In scope
- Published versions of
@larkinsh/x402,@larkinsh/verify,@larkinsh/mcp, andlarkin-x402(PyPI). - The example consumer at
tests/x402-demo.
Out of scope (different reporting paths)
- The hosted scoring service at https://larkin.sh — also report to security@larkin.sh; the team is the same but the codebase is separate.
- Third-party dependencies (npm, GitHub, Vercel, Supabase, etc.) — report to those vendors directly.
Disclosure
We coordinate disclosure with reporters. After a fix ships, we publish an advisory via GitHub Security Advisories.