| Version | Supported |
|---|---|
| main | ✅ |
Do not report security vulnerabilities through public GitHub issues.
Instead:
- Email the maintainers directly with details
- Include steps to reproduce if possible
- Allow reasonable time for a fix before public disclosure
- Authentication/authorization bypasses
- Data exposure or leakage
- Injection vulnerabilities (SQL, XSS, etc.)
- Secrets exposed in code or logs (incl. private keys, signer secrets)
- Cloudflare Workers security misconfigurations
- Smart contract vulnerabilities (reentrancy, access control, integer over/underflow, oracle manipulation, etc.)
- Misconfigured Foundry deploy scripts that leak signer or RPC credentials
We aim to:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 1 week
- Release a fix as soon as practical
- Never commit secrets, API keys, or credentials (incl. wallet private keys, RPC URLs with embedded auth)
- Use environment variables for sensitive config; for Foundry, prefer hardware-wallet / keystore signers over
--private-keyoutside local Anvil - Validate all user input (server-side and on-chain via
require/ custom errors) - Follow the project's security rules in
.claude/rules/