<<<<<<< HEAD <<<<<<< HEAD
<<<<<<< HEAD The SmartContractAudit team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report security vulnerabilities by emailing:
[email protected] (placeholder contact)
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
- Full paths of source file(s) related to the manifestation of the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
This information will help us triage your report more quickly.
For sensitive security reports, you may encrypt your message using our PGP key:
[PGP KEY PLACEHOLDER - To be provided]
- Report Received: Security reports are acknowledged within 48 hours
- Initial Triage: We assess the severity and scope within 5 business days
- Investigation: The security team investigates and develops a fix
- Coordinated Disclosure: We work with you on disclosure timeline
- Release: Security patches are released and vulnerabilities disclosed
- Critical vulnerabilities: Initial response within 24 hours, fix target within 7 days
- High severity: Initial response within 48 hours, fix target within 14 days
- Medium severity: Initial response within 5 days, fix target within 30 days
- Low severity: Initial response within 7 days, fix target within 60 days =======
The CyberAi project takes security seriously. We appreciate responsible disclosure of security vulnerabilities and will work with security researchers to resolve issues quickly.
If you discover a security vulnerability, please follow these steps:
Please do not open a public GitHub issue for security vulnerabilities. This could put the community at risk.
Send details of the vulnerability to:
To help us triage and address the issue quickly, please include:
- Description: Clear description of the vulnerability
- Impact: Potential impact and attack scenarios
- Affected versions: Which versions are affected
- Reproduction steps: Step-by-step instructions to reproduce the issue
- Proof of concept: Sample code, screenshots, or logs if available
- Suggested fix: If you have a recommendation for fixing the issue
- Your contact information: For follow-up questions
For sensitive disclosures, you may encrypt your report using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Key Placeholder - Contact [email protected] for actual key]
-----END PGP PUBLIC KEY BLOCK-----
We will acknowledge receipt of your vulnerability report within 48 hours (2 business days).
Our security team will assess the report and determine:
- Severity level (Critical, High, Medium, Low)
- Affected components and versions
- Priority for remediation
You can expect an initial assessment within 5 business days.
We aim to resolve security issues according to the following SLA:
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: 60 days
Timeline may vary based on complexity and the need for coordinated disclosure.
Once a fix is available:
- We will prepare a security advisory
- Coordinate with you on public disclosure timing
- Release a patch or new version
- Publish the security advisory
- Credit you in the advisory (if desired)
origin/pr10
<<<<<<< HEAD
- Authentication and authorization issues
- Code injection vulnerabilities
- Exposure of sensitive data or credentials
- Insecure cryptographic implementations
- Privilege escalation
- Remote code execution
- Cross-site scripting (XSS) or similar web vulnerabilities
- Supply chain vulnerabilities in dependencies
- Issues affecting outdated or unsupported versions
- Vulnerabilities requiring physical access to a user's device
- Social engineering attacks
- Denial of Service (DoS) attacks without proven impact
- Issues that have already been reported or are known
This project follows these security practices:
- No Secrets in Code: Never commit API keys, passwords, or private keys
- Dependency Scanning: Regular audits of dependencies for known vulnerabilities
- Code Review: All changes require review before merging
- Least Privilege: Services run with minimal required permissions
- Dry-Run Defaults: Destructive operations default to dry-run mode
- Input Validation: All user inputs are validated and sanitized
- Primary Contact: [email protected]
- Backup Contact: [To be specified]
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
We recommend always using the latest version to ensure you have all security updates.
We appreciate and recognize security researchers who help keep our project secure:
- Responsible disclosures will be credited in release notes (if desired)
- We may acknowledge security researchers in our documentation
- Critical vulnerability reports may qualify for recognition in our Hall of Fame
We support safe harbor for security researchers who:
- Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
- Only interact with accounts you own or with explicit permission of the account holder
- Do not exploit a security issue beyond what is necessary to demonstrate it
- Do not access, modify, or delete data belonging to others
- Give us reasonable time to fix the issue before public disclosure
For more information about our security practices:
- Review our GOVERNANCE.md for security roles and responsibilities
- See PRIVACY.md for data handling policies
- Check CONTRIBUTING.md for secure development practices ======= We take the security of SmartContractAudit seriously. If you discover a security vulnerability, please follow these guidelines:
DO NOT open a public issue for security vulnerabilities.
Instead, please report security issues to:
- Email: [email protected] (placeholder contact)
- Subject: [SECURITY] Brief description of the issue
When reporting a vulnerability, please provide:
- Description - Clear description of the vulnerability
- Impact - Potential impact and severity assessment
- Reproduction Steps - Detailed steps to reproduce the issue
- Affected Versions - Which versions are affected
- Suggested Fix - If you have ideas for mitigation (optional)
- Your Contact Information - So we can follow up with you
For sensitive disclosures, you may encrypt your report using our PGP key:
[PGP KEY PLACEHOLDER - To be added]
- Submit Report - Send your security report via email
- Acknowledgment - We'll acknowledge receipt within 48 hours
- Initial Triage - We'll perform initial assessment within 5 business days
- Investigation - We'll investigate and work on a fix
- Resolution - We'll release a patch and security advisory
- Credit - We'll credit you in the advisory (unless you prefer to remain anonymous)
- Critical vulnerabilities: Initial response within 24 hours, fix within 7 days
- High vulnerabilities: Initial response within 48 hours, fix within 14 days
- Medium vulnerabilities: Initial response within 5 days, fix within 30 days
- Low vulnerabilities: Initial response within 7 days, fix as appropriate
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We recommend always using the latest version to receive security updates.
When using SmartContractAudit:
- Never commit secrets - Use environment variables for sensitive data
- Keep dependencies updated - Regularly update to get security patches
- Review audit reports - Check security scan results carefully
- Use dry-run mode - Test changes in dry-run mode first
- Limit permissions - Use minimal required permissions for tokens/apps
We follow a coordinated disclosure model:
- Security issues are fixed privately
- Patches are released before public disclosure
- Security advisories are published after patches are available
- We credit researchers who report vulnerabilities responsibly
For general security questions or concerns:
- Email: [email protected] (placeholder)
- Response Time: Within 5 business days
origin/pr9
Security issues in:
- Core smart contract audit tools
- Automation workflows and scripts
- Dependencies with known vulnerabilities
- Configuration issues leading to security risks
- Access control and authentication bypasses
- Data leakage or privacy violations
- Injection vulnerabilities (code, command, etc.)
The following are generally not considered security issues:
- Issues in third-party dependencies (report to the upstream project)
- Denial of service via resource exhaustion
- Issues requiring physical access to a user's device
- Social engineering attacks
- Issues in outdated or unsupported versions
- Never commit secrets, API keys, or credentials
- Use environment variables for sensitive configuration
- Enable dry-run mode by default for destructive operations
- Review dependencies for known vulnerabilities
- Follow the principle of least privilege
- Validate and sanitize all inputs
- Use security linters and scanners
- Keep your installation up to date
- Use strong, unique credentials
- Enable two-factor authentication where available
- Review permissions granted to the application
- Monitor logs for suspicious activity
- Report suspected security issues promptly
Security updates will be announced through:
- GitHub Security Advisories
- Release notes with
[SECURITY]prefix - Email to registered users (for critical issues)
- Project documentation and README
Subscribe to repository notifications to stay informed.
We currently do not have a paid bug bounty program. However, we deeply appreciate security research and will:
- Acknowledge your contribution publicly (if desired)
- Include you in our security researchers hall of fame
- Provide project swag or recognition where possible
- Security reports: [email protected]
- General inquiries: See CONTRIBUTING.md
- PGP key requests: [email protected]
This security policy may be updated periodically. Check back regularly or watch the repository for changes.
Last Updated: 2026-01-01
origin/pr10 =======
If you discover a security vulnerability in this project, please report it responsibly:
Contact: [email protected]
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge receipt within 48 hours and provide a detailed response within 7 days.
For CuberAi product issues and triage, see SolanaRemix/CuberAi.
We release patches for security vulnerabilities on the latest stable version.
Thank you for helping keep this project secure!
origin/pr11