Skip to content

Security: rooch-network/rooch

SECURITY.md

Security Policy

Reporting a Vulnerability

The Rooch dev team takes the security of our project seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

To report a security vulnerability, please use the GitHub Security Advisory "Report a security vulnerability" feature.

Please do not report security vulnerabilities through public GitHub issues.

When reporting a vulnerability, please provide as much information as possible, including:

  1. A description of the vulnerability
  2. Steps to reproduce the issue
  3. Potential impact of the vulnerability
  4. Any potential mitigations you've identified

Response Time

We will acknowledge receipt of your vulnerability report within 3 business days and will send you regular updates about our progress.

Disclosure Policy

When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:

  1. Confirm the problem and determine the affected versions.
  2. Audit code to find any potential similar problems.
  3. Prepare fixes for all releases still under maintenance.
  4. Release new versions and update the public repository.

Comments on this Policy

If you have suggestions on how this process could be improved, please submit a pull request.

Thank you for helping keep Rooch and our users safe!

Learn more about advisories related to rooch-network/rooch in the GitHub Advisory Database