OAK exists to make adversarial behaviour against on-chain assets legible to defenders. The community around it includes investigators, detection engineers, vendors, researchers, and protocol teams — sometimes with overlapping commercial interests, sometimes with opposing ones.
This Code of Conduct keeps the work productive across that mix.
- Disagree on the content, not the contributor. Critique a PR's substance — methodology, citations, calibration, scope — not the person submitting it.
- Receipts beat opinions. Back claims with citations to
citations.bib, links to public on-chain artefacts, or referenced public forensic write-ups. Anecdotes without sources are downgraded in review. - Be honest about coverage. If your reference implementation has gaps, mark them. Inflated coverage claims undermine the framework that everyone here is building.
- Respect off-list disclosures. If a contributor shares non-public incident information per
SECURITY.md, do not redistribute it without their explicit permission.
- Personal attacks, harassment, doxxing, or threats — public or private.
- Misrepresenting another vendor's coverage or capabilities. Critique with evidence; don't trash-talk.
- Linking to live attacker infrastructure, recoverable malicious code, or anything that turns OAK into an offensive resource. Cite public forensic write-ups instead.
- Misrepresenting affiliation with OAK or any other organisation.
The maintainers will:
- Privately warn for first-time issues.
- Lock or close threads that have become unproductive.
- Block accounts for repeated or severe violations.
To report a Code of Conduct issue, email conduct@onchainattack.org (subject prefix: [OAK-COC]). Reports are handled in confidence.
Maintainers are held to the same standard. If a maintainer's behaviour is the issue, escalate to the same address — co-maintainers (once invited per the v0.5 plan) will handle it independently.
This Code of Conduct draws on the spirit of the Contributor Covenant, simplified for OAK's scope and audience.