| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
Only the latest minor release on the 1.x line receives security fixes. Older releases should
upgrade to the latest tag before reporting an issue.
This is testnet, pre-production software. The smart contracts have not yet been audited. Treat anything on-chain as experimental until a release notes otherwise.
Please do not open a public issue for security problems.
Report privately through GitHub: go to the repository's Security tab → Report a vulnerability (this opens a private advisory). If you can't use that, email the security contact below.
Include what you can:
- Affected component (route, middleware, contract, etc.)
- Steps to reproduce
- Impact / what an attacker could achieve
- Any suggested remediation
We aim to acknowledge within 3 business days.
- Triage — the report is reproduced and assigned a severity (critical / high / medium / low) within 3 business days of acknowledgment.
- Fix — a patch is developed on a private branch (or private security advisory fork for GitHub-reported issues) so the vulnerability isn't disclosed before a fix ships.
- Release — the fix is released as a patch version following semver. Critical/high severity issues are released as soon as the fix is verified; medium/low severity issues are bundled into the next scheduled release.
- Disclosure — a GitHub security advisory is published once the fix is released, crediting the reporter (unless they request otherwise) and summarizing impact and remediation.
- Coordination — for issues affecting deployed instances, we coordinate timing of public disclosure with the reporter to allow operators a reasonable window to upgrade.
- Primary: daveproxy80@gmail.com
- Preferred: GitHub private vulnerability reporting (Security tab → Report a vulnerability)
| Date | Scope | Auditor | Report |
|---|---|---|---|
| Pending | Smart contracts (Soroban) | — | — |
No formal third-party audit has been completed yet. This table will be updated as audits are scheduled and completed. Until an audit is recorded here, treat on-chain components as unaudited and experimental.