| Version | Supported |
|---|---|
| Latest beta or release candidate | ✅ |
| v0.9.x | ✅ |
| v0.8.x | ✅ |
| < v0.9 | ❌ |
If you discover a security issue in this project, please DO NOT open an issue or publicly disclose the vulnerability.
There are two ways to privately report a security issue:
-
Send an email to [email protected], which all code owners can access and check regularly. Tied to this email, you can use our public key to encrypt your message.
-
Submit a report through GitHub's private vulnerability reporting system.
Your report will be acknowledged within 24 hours, and you’ll receive a more detailed response to your report within 48 hours indicating the next steps in handling your report.
In the event that we learn of a critical security vulnerability, we reserve the right to silently fix it without immediately disclosing the existence of the vulnerability.
In such a scenario, we will:
-
Silently fix the vulnerability in a new release.
-
Notify all users of the affected versions that they should upgrade to the new release.
-
After a reasonable period of time, we will publicly disclose the vulnerability, along with credit to the reporter (with their permission).
This policy is based on the Geth team's silent patch policy.