VPN clientMantaRay

Security

Coordinated vulnerability disclosure

Last updated: April 27, 2026

Mantatech Ltd treats security reports as the first-class input that they are. If you believe you have found a vulnerability in MantaRay, MantaRay-Core, mantarayd or any Mantatech-operated endpoint, this page tells you how to disclose it to us safely and what to expect in return.

Reporting

How to report

  • Email: security@mantatech.ltd. Please use a clear subject line such as "[Security] brief summary".
  • Encryption: we accept PGP-encrypted reports. The current key fingerprint can be fetched from /.well-known/security.txt.
  • Include in the report: affected component and version, environment (OS / device), a minimal proof of concept, and your assessment of impact. Screenshots and packet captures are welcome where applicable.

Response targets

What to expect from us

First human reply

≤ 2 business days

Triage & severity

≤ 5 business days

Fix in next release

Critical: ≤ 14 days

Public credit

After deployment, with your consent

Scope

In scope

  • MantaRay client applications (iOS, iPadOS, macOS, Android, Android TV, Windows)
  • MantaRay-Core VPN engine (Rust)
  • mantarayd OpenWrt companion daemon
  • api.mantatech.ltd update manifests, crash report ingestion, TV pairing endpoints
  • mantatech.ltd and mantaray.app marketing sites

Scope

Out of scope

  • Servers, subscription URLs and infrastructure that users configure themselves
  • Apple iCloud, Google Firebase or other third-party services that the app interoperates with
  • Issues that require physical access to a device or full-disk encryption to be off
  • Reports generated solely by automated scanners without a working proof of concept
  • Self-XSS, missing security headers on static marketing pages, and similar low-impact findings

Safe harbour

What we ask of you

  • Test only on accounts and devices that you own or are explicitly authorised to test. Do not access, modify, or destroy data that does not belong to you.
  • Avoid privacy violations, traffic interception of users you do not control, denial of service attacks against api.mantatech.ltd, and any action that could degrade the service for others.
  • Give us a reasonable amount of time to reproduce and remediate before disclosing publicly. We will agree on a coordinated disclosure date during triage.

When you act in good faith and follow the rules above, Mantatech Ltd will not pursue legal action against you for your research and will publicly credit you for the finding (with your consent).

Hall of fame

Researchers we have shipped fixes for

We will list researchers who report a confirmed vulnerability here, after a fix has shipped, with their consent. The list is currently empty — be the first.

No public reports yet.