If you believe you’ve found a security vulnerability in this project, we strongly encourage responsible disclosure and will work with you to resolve the issue promptly.

Please do not create a public issue or discuss the vulnerability in public forums.

You have two options to report security issues:

1. Private Disclosure via GitHub (Recommended)

   • Use the "Report a vulnerability" button in the GitHub repository's /security/advisories page.
   • This will privately notify the maintainers through GitHub’s security advisory workflow.

2. Email

   • Send a detailed report to: security at shardeum dot org

To help us understand and resolve the issue quickly, please include (where possible):

• A detailed description of the vulnerability
• Steps to reproduce it
• Any relevant proof-of-concept code
• The potential impact or affected components

• We will acknowledge your report within 3 business days.
• We will investigate and confirm the issue.
• If a fix is needed, we’ll prepare a patch and may issue a GitHub Security Advisory (and CVE if applicable).
• We’ll keep you informed throughout the process and credit you if appropriate.

We appreciate your efforts in keeping our project and its users safe.

When conducting security research and reporting vulnerabilities, we request that you:

• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only interact with accounts or data that you own or have explicit permission to access.
• Limit the amount of data you access or download to the minimum necessary to demonstrate the vulnerability.
• Do not use a vulnerability to gain persistent access to systems or exfiltrate sensitive information.
• Report the vulnerability to us as soon as you discover it.
• Allow us a reasonable timeframe to investigate, fix, and announce the vulnerability before making it public.

We only provide security updates for the latest stable release. Make sure you're up-to-date.

We consider security research conducted in accordance with this policy to be authorized. If you make a good faith effort to discover and report vulnerabilities by following these guidelines, we will not initiate legal action against you or ask law enforcement to investigate you. If any third party initiates legal action against you related to research conducted under this policy, we will make it known that your actions were authorized by us.

Thank you for helping improve the security of this project!