| Version | Supported |
|---|---|
main |
✅ |
Fixes are applied to main first. If you are running a fork or a pinned commit, please still report — we will coordinate disclosure with you.
Please do not open a public GitHub Issue for security vulnerabilities. Public disclosure before a fix is available puts all users at risk.
Follow this process instead:
- Report privately using one of the contact methods below.
- We will acknowledge your report within 48 hours.
- We will investigate and provide a status update within 7 days.
- We will work with you to agree on a coordinated disclosure date (typically after a fix is released).
- You will be credited in the release notes unless you prefer to remain anonymous.
| Method | Details |
|---|---|
| security@votechain.dev (monitored by maintainers) | |
| GitHub Private Advisory | Use GitHub Security Advisories to report confidentially without email |
When reporting, please include:
- A clear description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept (PoC)
- Affected component(s) — contract name, function, file path
- Any suggested mitigation or patch (optional but appreciated)
| Milestone | Target |
|---|---|
| Acknowledgement | ≤ 48 hours |
| Initial assessment & severity triage | ≤ 7 days |
| Fix or mitigation for critical issues | ≤ 14 days |
| Coordinated public disclosure | Agreed with reporter, typically after fix is released |
contracts/governance/**— proposal creation, voting, finalisation, execution, cancellationcontracts/token/**— governance token minting, balances, transfers- Build and CI tooling that could affect contract correctness (
scripts/,.github/workflows/)
- Third-party dependencies and upstream toolchains (Rust, Soroban SDK, Stellar Core) — please report those to the respective upstream projects
- Social engineering, phishing, or physical attacks
- Denial-of-service attacks that rely on unrealistic network-level assumptions outside the Soroban execution model
- Issues in forks or unofficial deployments not maintained by this repository
This project does not currently operate a paid bug bounty program.
We recognise and publicly credit all valid security reports in release notes. If a bounty program is introduced in the future, this document will be updated with program rules, payout ranges, and a link to the bounty platform.
Key security properties of the contracts:
cast_votecallsrequire_auth()— votes cannot be forged by a third party- Double-vote prevention via a persistent
HasVoted(proposal_id, voter)storage key - Vote weight equals the voter's token balance at the time of the vote — no snapshot manipulation
- Only the designated admin address can execute or cancel proposals
- Quorum is enforced at finalisation — proposals cannot pass silently with low turnout
- All token amounts use
i128— no floating-point arithmetic or rounding errors