This policy covers actively maintained code in this repository, including:
- Solana programs under
programs/ - Rust crates under
crates/ - Services under
services/ - TypeScript packages under
packages/
Report vulnerabilities privately to:
Do not file public GitHub issues for vulnerabilities.
Include the following:
- Affected component and path
- Impact assessment
- Reproduction steps or proof of concept
- Suggested remediation (if available)
- Initial acknowledgment: within 2 business days
- Triage and severity classification: within 7 business days
- Remediation timeline: based on severity and exploitability
- We prefer coordinated disclosure.
- Public disclosure should wait until a fix is available or mitigation guidance is published.
The following are usually out of scope unless they demonstrate meaningful security impact:
- Styling or UI-only issues
- Vulnerabilities in third-party dependencies without a repository-specific exploit path
- Denial-of-service claims without reproducible resource-exhaustion details
When contributing security-sensitive changes:
- Add tests that prove the failure mode and the fix
- Document operational impact and rollback strategy
- Avoid introducing hidden configuration defaults