Open Contributions

Opportunities Submission

Contribute to DefAgent's mission of securing critical infrastructure through code, research, and vulnerability reporting.

Patch Submissions

💻 Code Contributions

Follow the developer standards, sign your work, and map security changes to MITRE ATT&CK.

Patch Requirements

  • Follow our Developer Standards — coding, formatting, and review conventions.
  • Include signed Developer Certificate of Origin (DCO) — every commit must be DCO-signed.
  • Provide threat model — in OWASP Threat Dragon format.
  • Map to MITRE ATT&CK — every security change maps to a TTP-ID.

Patch Template

[DA-{ticket}] {type}({module}): {subject}

{body}
- Risk: [Critical/High/Medium/Low]
- ATT&CK: [TTP-ID]
- Tests:
  ✅ Unit (90%+ coverage)
  ✅ Hardware (TAK-X Test Bench)
  ✅ Adversarial (FGSM/PGD)
Review Process

How patches are reviewed.

Initial review

Within 72 hours of submission, the security team triages and acknowledges the patch.

Critical fixes

24-hour SLA for Critical-risk patches; expedited path to merge and release.

Testing

Automated SAST/DAST plus manual review — unit, hardware (TAK-X Test Bench), and adversarial (FGSM/PGD).

Bug Bounty Program

🐞 Bug Bounty Program

Responsibly disclosed vulnerabilities in DefAgent software, hardware, and AI models are rewarded.

In-Scope

  • Remote Code Execution (RCE)
  • Authentication bypass
  • Data leakage in TAK-X OS
  • Hardware tampering
  • AI model poisoning

Out-of-Scope

  • Self-XSS
  • Theoretical issues without PoC
  • Third-party vulnerabilities

Bug Report Template

**Title**: [CWE-ID] Brief description
**Affected Component**: [e.g., DefAgent App v2.1]
**Severity**: [Critical/High/Medium/Low]
**Steps to Reproduce**:
1. Step 1
2. Step 2
**Impact**: [What an attacker could achieve]
**Suggested Fix**: [Optional]
**ATT&CK Mapping**: [e.g., T1190]
Rewards

Bounty ranges by severity.

Severity Bounty Range Example
Critical$5,000–$15,000RCE in TAK-X OS
High$2,000–$5,000Auth bypass
Medium$500–$2,000Privilege escalation
Low$100–$500CSRF with low impact
Submit a report

Submission Form

Submit a patch or vulnerability report directly to the DefAgent security team. For sensitive reports, use PGP.

By submitting, you confirm you are not a citizen or resident of any restricted country or entity on U.S. sanctions or denial lists, and you agree to DefAgent's Bug Bounty Terms.

Email PGP-encrypted

Need help?

For sensitive disclosures, email bounty@defagent.io (PGP key 0x1A2B3C4D) or reach the team via the contact page.

Ship with DefAgent.

Patches, research, and vulnerabilities all move the mission forward. Submit yours today.