Please do not open public issues for security vulnerabilities.
If you discover a security vulnerability in StellarLend, please report it responsibly:
📧 Email: security@stellarlend.io
- Acknowledgment: Within 48 hours of receiving your report
- Initial Assessment: Within 7 days
- Resolution Timeline: We aim to address critical issues within 30 days; complex issues may take longer
We follow a 90-day responsible disclosure window:
- You agree to give us 90 days from the date of acknowledgment to fix the vulnerability before disclosing it publicly
- During this period, we will work diligently to develop and deploy a fix
- If the vulnerability is already publicly known or being actively exploited, the 90-day window may not apply
StellarLend participates in the Stellar Wave Program via Drips. Security researchers may be eligible for bug bounty rewards through the program.
To be considered for a bounty:
- Reports must be for security vulnerabilities (not documentation issues or feature requests)
- Include a clear description and proof of concept
- Demonstrate real impact on the protocol or its users
For more details and to submit reports, visit the Stellar Wave Program on Drips.
In-scope assets:
- Smart contracts in this repository
- Protocol contracts deployed on Stellar testnet and mainnet
Out-of-scope:
- Issues in third-party dependencies (unless they introduce a novel vulnerability in how we use them)
- Vulnerabilities in user-provided key management or wallet software
- Theoretical vulnerabilities without demonstrated impact
When participating in responsible disclosure:
- Do not exploit the vulnerability for any reason (even for testing)
- Do not share information about the vulnerability with others until it's resolved
- Do provide sufficient detail for us to reproduce and verify the issue
- Do include your GitHub username or Drips identity in the report for attribution
Thank you for helping keep StellarLend secure!