Currently, only the latest version of the project receives security updates.

We appreciate security vulnerability reports. GitHub recognizes and rewards security researchers who help keep our users and services safe.

Please DO NOT report security vulnerabilities publicly through GitHub Issues.

Instead, please:

1. Send an email to: [INSERT SECURITY EMAIL]

   • Or create a private Security Advisory

2. Include the following information:

   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact of the vulnerability
   • Suggestions for a solution (if you have any)

3. Wait for a response: We will respond within 48 hours

We follow GitHub's Coordinated Vulnerability Disclosure process:

1. Initial report: We receive and acknowledge the report
2. Investigation: We investigate and validate the vulnerability
3. Fix: We develop and test a fix
4. Disclosure: We publish the fix and give credit to the researcher (if desired)

• Initial response: Within 48 hours
• Confirmation: Within 7 days
• Status updates: Weekly until resolution
• Credit: We will give you credit in the CHANGELOG and Security Advisory (if desired)

This project complies with GitHub Security Policies.

• Never commit sensitive information:

  • Private API keys
  • Passwords
  • Access tokens
  • Wallet private keys
  • Environment variables with sensitive data

• Use environment variables:

  • All credentials should be in .env.local (not committed)
  • Use env.example as a template
  • Never upload .env.local to the repository

• Review code before committing:

  # Check for sensitive information
  git diff
  git status

• Use .gitignore correctly:

  • Ensure .env.local, node_modules, and other sensitive files are ignored

• Keep your dependencies updated:

  pnpm update

• Review changes before pulling:

  • Verify there are no suspicious changes
  • Review commits before merging

• Use secure wallets:

  • Never share your private key
  • Use hardware wallets when possible
  • Verify transactions before confirming them

• All contracts must pass security audits
• Use proven libraries (OpenZeppelin when possible)
• Implement proper access controls
• Test thoroughly before deploying

• Never commit API keys in code
• Use environment variables for all credentials
• Rotate credentials regularly
• Use different credentials for development and production

• Validate all user inputs
• Implement rate limiting on public APIs
• Use HTTPS for all communications
• Implement CORS correctly

There are currently no known vulnerabilities. If you discover one, please report it following the process above.

Resolved vulnerabilities are documented in:

• GitHub Security Advisories
• CHANGELOG.md

• GitHub Security Best Practices
• OWASP Top 10
• Smart Contract Security Best Practices
• Somnia Network Security

We currently do not offer a bug bounty program, but we greatly appreciate responsible reports and give public credit to researchers (if desired).

For security questions that are not vulnerabilities, you can:

• Open a public issue with the security-question label
• Contact project maintainers

Last updated: December 2025 Complies with: GitHub Security Policies (December 2025)