Only the latest release on the main branch receives security fixes.

Do not open a public GitHub issue for security vulnerabilities.

Use GitHub's private vulnerability reporting to submit a report confidentially. This is the fastest path to triage.

Send a report to security@stellarkraal.example.com with:

• A description of the vulnerability and its potential impact
• Steps to reproduce or a proof-of-concept
• Affected component(s): backend API, frontend, Soroban smart contract, infrastructure
• Any suggested mitigations (optional)

If you prefer to encrypt your report, request our PGP public key via the email above before sending.

We will keep you informed of progress throughout the process.

• Authentication and authorization flaws (JWT handling, session management)
• Smart contract vulnerabilities (Soroban/Stellar on-chain logic)
• Injection vulnerabilities (SQL injection, command injection)
• Sensitive data exposure (loan data, wallet addresses, PII)
• Insecure direct object references in the REST API
• Dependency vulnerabilities with a realistic exploit path

• Vulnerabilities in third-party services (Stellar network, Soroban RPC)
• Issues requiring physical access to infrastructure
• Social engineering attacks
• Denial-of-service attacks against the testnet deployment
• Findings from automated scanners without a demonstrated impact
• Missing security headers on non-sensitive static assets

There is currently no paid bug bounty program. We do publicly acknowledge researchers who responsibly disclose valid vulnerabilities in our CHANGELOG.md and release notes, with their permission.

We follow coordinated disclosure. Please allow us the response timeline above before publishing your findings. We will work with you to agree on a disclosure date once a fix is available.