The Rooch dev team takes the security of our project seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
To report a security vulnerability, please use the GitHub Security Advisory "Report a security vulnerability" feature.
Please do not report security vulnerabilities through public GitHub issues.
When reporting a vulnerability, please provide as much information as possible, including:
- A description of the vulnerability
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Any potential mitigations you've identified
We will acknowledge receipt of your vulnerability report within 3 business days and will send you regular updates about our progress.
When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for all releases still under maintenance.
- Release new versions and update the public repository.
If you have suggestions on how this process could be improved, please submit a pull request.
Thank you for helping keep Rooch and our users safe!