The following versions of TrustLink currently receive security updates:

Do not open a public GitHub issue for security vulnerabilities.

TrustLink supports GitHub's private vulnerability reporting. Use the "Report a vulnerability" button on the Security Advisories page of this repository, or email security@trustlink.io.

• A clear description of the vulnerability
• Steps to reproduce the issue
• The potential impact (e.g., unauthorized access, fund loss, data exposure)
• The affected version(s) and contract function(s)
• A suggested fix or mitigation, if you have one

1. Submit your report via private advisory or email.
2. Acknowledgement — you will receive a confirmation within 48 hours.
3. Triage — the team evaluates severity using the CVSS scoring framework within 5 business days.
4. Remediation — patches for HIGH and CRITICAL severity findings are targeted for release within 30 days of confirmation. Lower-severity issues are addressed in the next scheduled release.
5. Disclosure — a public security advisory is published after the patch is released. Reporters are credited (with consent).

The following are in scope for vulnerability reports:

• The TrustLink Soroban smart contract (src/)
• Authorization logic (admin, issuer, bridge, multi-sig flows)
• Storage key collisions or data corruption
• Fee bypass or manipulation
• Attestation forgery or unauthorized revocation
• TypeScript and Python SDK bindings that could expose integrators to exploits

The following are out of scope:

• Denial-of-service attacks that rely on abnormally high ledger fees
• Social engineering or phishing
• Vulnerabilities in third-party dependencies (report those upstream)
• Issues in example code under examples/ that do not affect the core contract

• Email: security@trustlink.io
• GitHub Private Advisory: Submit here

For general questions that are not security-sensitive, open a GitHub Discussion or a regular issue.