Security is a top priority for the StellarForge project. As a Soroban-based smart contract library, we build, review, and maintain code with a focus on protecting user assets, preserving contract integrity, and enabling responsible disclosure.
| Version | Status |
|---|---|
| 1.0.x | Supported |
| 0.9.x | Unsupported |
| 0.8.x and earlier | Unsupported |
If you discover a security issue, do NOT open a public GitHub issue. Public posts can expose vulnerabilities and increase risk to users.
Please report privately via:
- Email: [Your Email]
- GitHub Private Vulnerability Reporting feature
- We will acknowledge receipt within 48 hours.
- We may request additional details or reproduce the issue.
- We will provide an estimated timeline for a fix.
- We coordinate disclosure to avoid exposing users before a safe patch is available.
This policy covers the core StellarForge smart contracts, including forge-oracle and other contracts in this repository (such as forge-governor, forge-multisig, forge-stream, forge-vesting), plus any shared libraries that directly affect contract security.
We value security researchers and appreciate responsible reporting to help us keep the ecosystem safe.