Quasar has not been audited. Do not use it in production with real funds until an audit is complete. There is no bug bounty program at this time.
Since Quasar is unaudited and should not be used with real funds, report vulnerabilities publicly by opening a bug report. Public disclosure helps everyone and gets bugs fixed faster.
Once Quasar is audited and in production use, we'll switch to private disclosure with a bug bounty program.
This policy covers:
quasar-lang— framework primitives, zero-copy access, CPI builderquasar-derive— proc macrosquasar-spl— SPL Token integration
Quasar uses unsafe for zero-copy access, CPI syscalls, and pointer casts. Every unsafe block has a documented soundness invariant and is validated by Miri under Tree Borrows with symbolic alignment checking.
If you find an unsafe block that lacks a soundness argument or can be triggered to produce undefined behavior, that qualifies as a security vulnerability.