If you discover a security vulnerability in NebGov, please report it responsibly. Do not open a public GitHub issue.
- Go to GitHub Security Advisories
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
- Submit the report
- Description of the vulnerability
- Steps to reproduce
- Affected component (contract, SDK, frontend)
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix and disclosure: Coordinated with the reporter
The following components are in scope:
| Component | Repository Path |
|---|---|
| Governor Contract | contracts/governor |
| Timelock Contract | contracts/timelock |
| Token Votes Contract | contracts/token-votes |
| Governor Factory | contracts/governor-factory |
| Treasury Contract | contracts/treasury |
| TypeScript SDK | sdk/ |
The frontend (app/) is lower priority but still in scope.
- Issues in third-party dependencies (report upstream)
- Testnet-only issues with no mainnet impact
- Social engineering or phishing
| Version | Supported |
|---|---|
| main branch | Yes |
| Tagged releases | Yes |
| Older commits | No |
All JavaScript dependencies are automatically scanned for known vulnerabilities using pnpm audit in our CI pipeline. The scan runs on every pull request and push to main, covering all workspaces:
sdk/- TypeScript SDKapp/- Next.js frontendpackages/indexer/- Event indexer APIbackend/- Backend services (if present)
All Rust dependencies are automatically scanned for known security vulnerabilities using cargo-audit via the rustsec/audit-check action.
- Frequency: Every PR and push to
main. - Database: RustSec Advisory Database.
- Reporting: Vulnerabilities are posted as comments on pull requests.
- Configuration: Suppression of false positives or non-applicable advisories is handled in
.cargo/audit.toml.
If a vulnerability is flagged that doesn't apply to our usage or is a false positive, you can suppress it using one of these methods:
Create or update .npmrc in the workspace root:
audit-level=high
Add to the root package.json:
{
"pnpm": {
"auditConfig": {
"ignoreCves": ["CVE-2023-XXXXX"]
}
}
}For temporary issues during development:
pnpm audit --audit-level=high --ignore-registry-errors- Critical/High: Blocks CI and prevents merging
- Moderate/Low: Reported but doesn't block CI
- Info: Logged for awareness only
When suppressing vulnerabilities, document the reasoning in the commit message and consider creating a GitHub issue to track the decision.