The Onionr software and any nodes you control are within scope.
Avoid social engineering, volume-based denial of service and disrupting or harming the Onionr network. Do not attempt to exploit any machines/servers you do not own or otherwise have permission to do so.
The following exploits are of particular interest:
* Arbitrary code execution
* API authentication bypass (such as accessing local API from public interface)
* Deanonymization:
* Easily associating public keys with server addresses
* Discovering true server IPs when behind Tor/I2P (aside from Tor/i2p-level attacks)
* Easily discovering which nodes are the block creator
* Timing attacks against the local http server that are exploitable from a browser ([see blog post](https://www.chaoswebs.net/blog/timebleed-breaking-privacy-with-a-simple-timing-attack.html))