For a bug that is operational and/or non-sensitive rather than a critical vulnerability, please add it as a GitHub issue.
To notify us of a critical vulnerability, please send an email to [email protected]. Please include your GitHub handle in this email and ensure that multi-factor authentication is enabled on your account. This way, we can immediately add you to a new draft security advisory for further discussion.
DO NOT CREATE A PUBLIC ISSUE to report a vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.
If you believe you have found a security vulnerability in our smart contract repository, we encourage you to let us know right away and ask that you:
- Keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed and deployed.
- Allow us a reasonable amount of time to correct or address security vulnerabilities.
- Avoid exploiting any vulnerabilities that you discover.
- Demonstrate good faith by not disrupting or degrading Elusiv's services.
- Once a security report is received, the Elusiv development team works to verify the issue.
- A new draft security advisory is established and an invitation is sent to the submitter.
- Patches are prepared in private forks and discussed in the security advisories.
- We notify the community that a security release is coming to give users, developers and Warden operators time to prepare their systems for the update.
- Once the community is ready, the fixes are applied publicly, new releases are issued, and the source code is made public.
- Then, we will pay out any relevant bug bounties to submitters.
This process can take some time. We will investigate all legitimate reports and do our best to quickly fix the problem. We are committed to responding to security issues promptly in accordance with this process and keeping our users safe.
Thank you for helping us keep our protocol secure!