We currently support and provide security updates for the following components:

Older versions or experimental branches (like beta or alpha) are generally not supported with backported security updates.

Please do NOT report security vulnerabilities through public GitHub issues.

If you believe you have found a security vulnerability in PulsarTrack, please report it to us privately to ensure it can be addressed before being publicly disclosed.

Please send an email to: security@drips.network (or open a confidential security advisory on GitHub).

In your report, please include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue (proof-of-concept scripts or detailed instructions).
• The specific files or endpoints affected.
• Any potential mitigation or workaround if you have one.

We take all security reports seriously and commit to the following timelines:

• Acknowledgment: Within 48 hours of your report.
• Triage & Initial Assessment: Within 7 days of acknowledgment.
• Resolution & Patch: We aim to release a patch or mitigation for critical vulnerabilities within 14 days, though complex issues affecting smart contracts may take longer due to required testing and auditing.

The following components are fully in scope for security reports:

• Soroban Smart Contracts: Any contract deployed under the PulsarTrack project (e.g., publisher-reputation, subscription-manager, campaign-orchestrator).
• Backend API: All backend services and endpoints maintained by PulsarTrack.
• Frontend App: Client-side validation, wallet interactions, and general web vulnerabilities (XSS, CSRF, etc.) within the main web application.

The following are explicitly out of scope:

• Theoretical vulnerabilities without a reproducible proof-of-concept.
• Vulnerabilities relying on social engineering, phishing, or physical access.
• Bugs in third-party dependencies (unless the vulnerability is introduced by our specific misuse of the library).
• Issues related to the Stellar network itself or the Soroban execution environment (please report these directly to the Stellar Development Foundation).
• Denial of Service (DoS) attacks requiring massive external resources.

We highly value the work of the security community. At this time, all validated and accepted reports of critical or high severity vulnerabilities in our core smart contracts may be eligible for a bug bounty.

Bounty amounts are determined on a case-by-case basis depending on the severity and impact of the vulnerability. Tiers generally range from:

• Critical: Complete loss of funds or core protocol failure.
• High: Contract logic bypass or unauthorized data manipulation.
• Medium/Low: Limited impact UI bugs or defense-in-depth issues.

We support safe harbor for security researchers who:

• Report the vulnerability to us privately and give us reasonable time to fix it before public disclosure.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.
• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue.
• Comply with all applicable laws.

If you conduct your research and reporting in accordance with these guidelines, we will consider your actions authorized and will not initiate or support any legal action against you related to your research.