Please do not open a public issue for security problems.

Email security@parad0xlabs.com with:

• what you found and where (repo / page / program / endpoint),
• how to reproduce it, and
• the impact you think it has.

We'll acknowledge your report, work a fix, and credit you if you'd like once it's resolved. Please give us a reasonable window to address it before any public disclosure.

In scope: this repo and the public web0 stack repos (resolver, x402 rail, ZK identity, compute mesh, SDK).

Especially valuable: anything that could move funds, forge a payment or receipt, break .null ownership or resolution, or de-anonymize a private payment.

The core registry is live on Solana mainnet — .null registration, resolution, transfer, recipient-private pay-by-name (null_registrar), and the auction / resale marketplace (null-auction); see docs/PROGRAMS.md for the canonical id list. The Dark NULL privacy layer (shielded pool, GhostScore, fully-anonymous ownership, x402 access gate) is live and ZK-verified end-to-end on Solana devnet, with mainnet rolling out. Treat devnet value conservatively until the rollout completes. Responsible disclosure is genuinely appreciated.