The Chimera project is dedicated to ensuring the security and safety of our brain-controlled exoskeleton platform and the privacy of our users. We value the contributions of security researchers and the broader community in helping us maintain a high standard of security. This document outlines how to report security vulnerabilities responsibly.

For a comprehensive overview of our internal security practices, principles, and controls, please refer to our detailed Internal Security Policy.

Please do not report security vulnerabilities through public GitHub issues, pull requests, or other public forums.

We encourage responsible disclosure of security vulnerabilities. If you believe you have found a security vulnerability in any Chimera project component, please report it to us privately through one of the following channels:

• Primary Method: Email our dedicated security team at [email protected].

• Alternative Method (if PGP encryption is preferred): You can encrypt your report using our PGP key. (Note: A placeholder PGP key/link would be inserted here once available. For now, email is the primary channel.)

  -----BEGIN PGP PUBLIC KEY BLOCK-----
  Comment: Chimera Project Security Team PGP Key (Placeholder)
  
  mQINBF... (Placeholder PGP Key Data) ...=
  -----END PGP PUBLIC KEY BLOCK-----
  

To help us understand and address the vulnerability effectively, please include the following information in your report (as much as possible):

• Type of Vulnerability: (e.g., Cross-Site Scripting, SQL Injection, Buffer Overflow, Authentication Bypass, Data Exposure, etc.)
• Affected Component(s): Specify the part of the Chimera platform affected (e.g., specific API endpoint, software module, hardware interface, mobile application feature).
• Location of the Vulnerability: Full paths of source file(s), specific commit hash, branch, or direct URL if applicable.
• Steps to Reproduce: Detailed step-by-step instructions to reproduce the vulnerability.
• Proof-of-Concept (PoC): Code snippets, scripts, or a working PoC to demonstrate the vulnerability.
• Impact Assessment: Your assessment of the potential impact of the vulnerability, including how an attacker might exploit it and the potential consequences for patient safety or data privacy.
• Configuration Details: Any special configurations or environmental conditions required to reproduce the issue.
• Contact Information: Your name and contact details for follow-up communication.

Providing comprehensive information will help us triage and validate your report more quickly.

When you report a vulnerability to us, we commit to the following:

• Acknowledgement: We will acknowledge receipt of your report within 48 business hours.
• Initial Assessment: We will conduct an initial assessment of the reported vulnerability and aim to provide an update on its validity and severity within 5-7 business days.
• Communication: We will maintain open communication with you throughout the remediation process, providing updates on our progress as appropriate.
• Remediation: We will work diligently to remediate validated vulnerabilities in a timely manner, prioritizing based on risk and impact, especially concerning patient safety.
• Coordinated Disclosure: We are committed to Coordinated Vulnerability Disclosure (CVD). We will work with you to determine an appropriate timeline for public disclosure once the vulnerability has been remediated. We request that you do not disclose the vulnerability publicly until we have had a reasonable opportunity to address it.
• Recognition: We appreciate the efforts of security researchers. While we do not currently have a formal bug bounty program, we are happy to provide public acknowledgement for your contribution upon successful remediation and with your consent.

This security policy applies to vulnerabilities found within:

• The chimera_v2.0 GitHub repository and its codebase.
• Any publicly accessible services or APIs directly managed by the Chimera project for the exoskeleton platform.

This policy does not apply to:

• Third-party services or dependencies not directly under Chimera project control (though we appreciate reports if our usage of them introduces a vulnerability).
• Denial of Service (DoS/DDoS) attacks that do not involve a specific exploitable vulnerability.
• Social engineering or phishing attempts targeting Chimera project members or users.
• Physical security of facilities (unless it directly leads to a software/hardware vulnerability in the platform).

We consider security research and vulnerability disclosure activities conducted in accordance with this policy to be authorized and beneficial. We will not initiate legal action against researchers who:

• Adhere to this policy and report vulnerabilities responsibly.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
• Do not exploit a security issue for any reason beyond demonstrating the vulnerability to the Chimera security team.
• Do not access or modify data without explicit permission.

For more details on our overall security posture, please refer to the following documents within this repository:

• Internal Security Policy
• Secure Coding Guidelines
• Data Protection Policy
• Incident Response Policy

We are committed to working with the security community to ensure the safety and security of the Chimera platform. Thank you for your help in keeping our project and our users safe.