Only the current main branch and the last tagged release are supported with security updates.

We take the security of our smart contracts, backend, and frontend seriously.

Please do not report security vulnerabilities through public GitHub issues.

If you believe you have found a security vulnerability, please reach out to us via the Contributor Telegram and request a private, encrypted contact channel for full disclosure.

• A description of the vulnerability and its impact.
• Steps to reproduce the vulnerability.
• Any relevant logs or output.

• In-Scope: Smart contracts, backend, and frontend code contained in this repository.
• Out-of-Scope: Third-party services, dependencies, and infrastructure not managed directly by this repository.

• We aim to respond to all vulnerability reports within 5 business days.
• We request a 90-day disclosure window to give us time to investigate and patch the vulnerability before it is publicly disclosed.
• At this time, we do not offer a paid bounty program, but we appreciate and may acknowledge responsible disclosures.