Security fixes are applied to the latest version only. This project is in prototype stage and has not been audited for production use.

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub Security Advisories to report privately. This keeps the disclosure confidential until a fix is ready.

Include in your report:

• Affected function(s) or file(s)
• Steps to reproduce or proof of concept
• Impact assessment (e.g. fund loss, access control bypass, DoS)
• Suggested fix (optional)

We will keep you informed throughout the process and coordinate disclosure timing with you before publishing a security advisory.

• Critical — Direct loss of funds, pool drainage, unauthorized token transfers
• High — Access control bypass, contract upgrade abuse
• Medium — Denial of service, logic errors without direct fund loss
• Low — Information disclosure, minor logic issues

The following are not eligible for security reports:

• Frontend UI components and mock data (not yet in this repository)
• Backend services and APIs (not yet in this repository)
• Issues requiring physical access to a user's device
• Social engineering attacks
• Third-party dependencies unless directly exploitable in the contract context
• Network-level attacks on Stellar infrastructure
• Vulnerabilities in already-deprecated or unsupported versions

There is no formal paid bug bounty program at this time. Researchers who responsibly disclose valid vulnerabilities will be:

• Credited in the published security advisory (with permission)
• Acknowledged in release notes and community channels

This may be revisited as the project matures toward production.

1. Reporter submits via GitHub Security Advisories (private)
2. Team acknowledges within 48 hours
3. Team triages severity within 7 days
4. Fix developed and reviewed based on severity timeline above
5. Reporter notified before public disclosure
6. Security advisory published after fix is deployed
7. Reporter credited (with permission)