We take the security of BettaPay seriously. If you believe you have found a security vulnerability, please report it to us immediately using the guidelines below.
Only the latest active minor release of the BettaPay system components is officially supported with security patches:
| Version | Supported |
|---|---|
| v1.x (Current) | ✅ Yes |
| < v1.0.0 | ❌ No |
Do not report security vulnerabilities through public GitHub issues.
If you discover a security issue (e.g., smart contract bugs, key disclosure, authentication bypass, remote code execution):
- Send an encrypted or plain text email to security@bettapay.test.
- Include the following details in your report:
- Affected component (Contract, Backend API Gateway, Frontend Dashboard, etc.).
- Description of the vulnerability and its potential impact.
- Step-by-step instructions (with proof-of-concept code or screenshots) to reproduce the issue.
- Any suggestions on how the issue can be mitigated.
We will acknowledge receipt of your vulnerability report within 24 hours and provide a status update on our investigation within 3 business days.
If the issue is confirmed, we will work on a patch and coordinate a public release timeline with you, giving credit for your discovery if you wish.
Our current focus includes:
- Soroban Smart Contracts: Verification of admin control logic, token transfers, overflow checks, and storage leaks.
- Microservices API Gateway: Securing authentication routes, handling JWT tokens safely, and prevention of injection patterns.
- Node.js Dependencies: Supply chain security via pnpm locks and dependency scanners.