This policy covers the Swyft monorepo, including:

• Soroban smart contracts (packages/contract/)
• NestJS backend API (apps/api/)
• TypeScript SDK (packages/sdk/)
• Next.js frontend (apps/web/)

Important: Swyft contracts are unaudited. Do not deploy to mainnet or use with real funds until a security audit has been completed and published.

Please do not open public GitHub issues for security vulnerabilities. Public disclosure before a fix is available puts users at risk.

Send a report by email to the maintainer via GitHub. You can find the contact by navigating to the repository owner's profile and using the email listed there, or by opening a private GitHub Security Advisory.

A useful report includes:

1. Description — what is vulnerable and what the potential impact is
2. Reproduction steps — a minimal example that demonstrates the issue
3. Affected component — which package, contract, or endpoint is affected
4. Suggested fix (optional) — if you have one

We follow the CVSS v3.1 scoring framework:

Soroban contracts present unique risks. When reporting contract vulnerabilities, please consider:

• Reentrancy — cross-contract call ordering
• Arithmetic overflow/underflow — fixed-point math edge cases
• Access control — admin function exposure
• Oracle manipulation — TWAP price manipulation vectors
• Tick arithmetic — off-by-one errors in concentrated liquidity math
• Storage exhaustion — unbounded storage writes

Swyft follows coordinated disclosure:

1. Researcher reports privately.
2. Maintainer confirms and assesses the issue.
3. Fix is developed and tested.
4. Fix is merged and a release is tagged.
5. Public advisory is published with credit to the reporter (unless they prefer to remain anonymous).

We will not take legal action against security researchers who follow this policy and act in good faith.

There is no formal bug bounty programme at this time. We will publicly acknowledge researchers who responsibly disclose valid vulnerabilities.