| Version | Supported |
|---|---|
| 0.55.x | Yes |
| < 0.55 | No |
This policy covers the genesismesh-sdk-dotnet NuGet package. It does not
cover the Genesis Mesh Network Authority server or the Genesis Mesh protocol
itself — those are tracked in the
main repository.
Vulnerabilities in scope:
- Incorrect Ed25519 signature construction or verification
CanonicalJsonproducing incorrect output that could allow signature bypass- Admin header building that leaks the signing key or produces forgeable headers
- Error handling that leaks internal server details to callers
- Dependency vulnerabilities in the published package
Out of scope (report to the main repo instead):
- NA server-side vulnerabilities
- Protocol design issues
- Issues requiring physical access to the signing key material
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting:
- Go to the Security tab
- Click Report a vulnerability
- Fill in the report form
You will receive a response within 72 hours. We aim to release a fix within 14 days for critical issues and 30 days for moderate issues.
Please include:
- A description of the vulnerability and its impact
- Steps to reproduce or a minimal code sample
- The package version affected
- Any proposed fix if you have one
We follow coordinated disclosure. We ask that you keep the vulnerability private until a fix is released. We will credit you in the release notes unless you prefer to remain anonymous.