Lernza handles token distribution on the Stellar network. Security is critical. We take all vulnerability reports seriously.
Do not open a public issue for security vulnerabilities.
Instead, report vulnerabilities privately:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide as much detail as possible
If GitHub Security Advisories are unavailable, email the maintainers directly with the subject line [SECURITY] Lernza vulnerability report.
- Description of the vulnerability
- Steps to reproduce
- Potential impact (especially regarding token handling)
- Suggested fix if you have one
- Acknowledgment: within 48 hours
- Assessment: within 1 week
- Fix timeline: depends on severity, but critical issues targeting < 7 days
The following are in scope:
- Smart contract vulnerabilities (unauthorized token transfers, state manipulation, reentrancy)
- Authentication/authorization bypasses
- Token pool drainage or manipulation
- Frontend vulnerabilities that could lead to transaction signing abuse
- Private key or wallet exposure
- Issues in third-party dependencies (report to the upstream project)
- Denial of service without meaningful impact
- Social engineering
| Version | Supported |
|---|---|
| main branch | Yes |
| Tagged releases | Yes |
| Older branches | No |
We appreciate security researchers. Contributors who responsibly disclose vulnerabilities will be credited in the release notes (unless they prefer to remain anonymous).