| Version | Supported |
|---|---|
| 0.53.x | Yes |
| < 0.53 | No |
This policy covers the genesis-mesh-sdk TypeScript package. It does not
cover the Genesis Mesh Network Authority server or the Genesis Mesh protocol
itself — those are tracked in the
main repository.
Vulnerabilities in scope:
- Incorrect Ed25519 signature construction or verification
- Canonical JSON producing incorrect output that could allow signature bypass
- Admin header building that leaks the signing key or produces forgeable headers
- Error handling that leaks internal server details to callers
- Dependency vulnerabilities in the published package
Out of scope (report to the main repo instead):
- NA server-side vulnerabilities
- Protocol design issues
- Issues requiring physical access to the signing key material
Do not open a public GitHub issue for security vulnerabilities.
Use GitHub's private vulnerability reporting:
- Go to the Security tab
- Click Report a vulnerability
- Fill in the report form
You will receive a response within 72 hours. We aim to release a fix within 14 days for critical issues and 30 days for moderate issues.
Please include:
- A description of the vulnerability and its impact
- Steps to reproduce or a minimal code sample
- The SDK version affected
- Any proposed fix if you have one
We follow coordinated disclosure. We ask that you keep the vulnerability private until a fix is released. We will credit you in the release notes unless you prefer to remain anonymous.