| Version | Supported |
|---|---|
| latest | ✅ |
Do not open a public issue for security vulnerabilities.
Report vulnerabilities by emailing security@bountyonchain.io with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
You will receive an acknowledgement within 48 hours and a status update within 7 days.
Automated scanning runs on every CI build and weekly via Dependabot:
- npm (
apps/frontend,apps/backend):npm audit --audit-level=high— fails onhighorcriticalfindings - Cargo (
apps/contracts):cargo audit— fails on any advisory - Dependabot: opens PRs weekly for npm and Cargo dependency updates
| Severity | Response SLA |
|---|---|
| Critical | 24 hours |
| High | 72 hours |
| Medium | 2 weeks |
| Low | Next release |
For confirmed vulnerabilities, we will:
- Develop and test a fix
- Release a patched version
- Publish a public advisory after the fix is deployed