SINT Protocol is currently in active development. Security fixes are applied to the latest main branch.
The public bounty program is not live until maintainers choose a platform, approve funding, and publish the final scope. The current non-binding launch draft is tracked in docs/security/bug-bounty-launch-plan.md.
If you discover a vulnerability, do not open a public issue.
Please report privately by email to:
i@pshkv.com
Use subject line:
[SINT-SECURITY]
Include:
- A clear description of the issue
- Steps to reproduce
- Potential impact
- Suggested remediation (if available)
Operational details for the disclosure path and response SLA are documented in:
We will:
- acknowledge receipt within 48 hours
- classify severity and confirm next steps within 10 business days
- send weekly status updates for valid reports until a remediation or disclosure plan is agreed
For valid reports, we will coordinate remediation and disclosure timing with the reporter.
Please avoid public disclosure until a fix is released or a coordinated disclosure date is agreed.
When a public advisory is needed, maintainers will publish it through GitHub Security Advisories.