If you discover a security vulnerability in Sortes, please do not open a public issue. Instead, email the maintainers privately:

• Akash Mondal — akash@miny-labs.com
• Hitakshi Arora — hitakshi@miny-labs.com

We will acknowledge receipt within 72 hours and provide a remediation timeline within 7 days. Critical vulnerabilities may be fast-tracked.

In scope:

• Sortes-specific contracts under src/ (ConfidentialCollateralWrapper, SealedPool, SortesMarketFactory, oracle bridge contracts).
• Sortes-specific deployment scripts under script/.

Out of scope (report to upstream maintainers):

• Vulnerabilities in lib/conditional-tokens-contracts/ → gnosis/conditional-tokens-contracts or Polymarket/conditional-tokens-contracts.
• Vulnerabilities in lib/ctf-exchange/ → Polymarket/ctf-exchange.
• Vulnerabilities in lib/uma-ctf-adapter/ → Polymarket/uma-ctf-adapter.
• Vulnerabilities in lib/confidential-token/ → skalenetwork/confidential-token and the SKALE Labs security process at https://blog.skale.space/security.
• Vulnerabilities in BITE consensus or SKALE precompiles → SKALE Labs.

Sortes is pre-audit. The novel contracts (ConfidentialCollateralWrapper, SealedPool) are intended for ChainSecurity or Trail of Bits review prior to mainnet launch. Audited upstream components retain their original audit perimeter:

• ChainSecurity, Polymarket Exchange, Nov 2022
• ChainSecurity, Polymarket NegRiskAdapter, Apr 2024
• ChainSecurity, Polymarket Conditional Tokens, Apr 2024
• OpenZeppelin, Polymarket UMA CTF Adapter (PDF in upstream repo).

A formal bug bounty will be opened post-mainnet launch. Pre-launch disclosures are credited in the security acknowledgments section of the README and may be eligible for retroactive rewards from the protocol treasury.