The Stargaze core team and community takes all security issues and vulnerabilities very seriously.
Thanks for improving the security of Stargaze. We appreciate your efforts. Following these responsible disclosure guidelines will make sure your contribution is acknowledged.
Please report security vulnerabilities to [email protected]. Please avoid opening a public Github issue or posting on social media or Discord.
The Stargaze team will respond with the next steps following the email within the next 2 working days. The team will keep you informed on the remediation process and may ask for additional guidance/information.
Please include the following in your report:
- Your name/affiliation (if any)
- Description of the technical details of the vulnerability, including how to reproduce.
- An explanation of who can exploit this vulnerability, including possible attack scenarios.
- Whether this vulnerability is public or known to third parties.
The core team asks security researchers to keep communications around vulnerabilities private and confidential until a patch is ready.
Additionally, we request:
- Allow a reasonable amount of time to correct and address the issue.
- Avoid exploiting the vulnerability.
- Demonstrate good faith by not disrupting Stargaze's network, data, or services.
Once a report is received, the following process will be followed:
- The Stargaze core team will work to verify the issue.
- Work on a patch in a private repository.
- Notify the community and validators that a security update is coming, giving ample time to upgrade and apply the patch.
- After the community has been notified, and after verifying that the patch works, the team will pay out any relevant bug bounties to submitters.
- A post-mortem will be published a week after the vulnerability is discovered.
Every effort will be made to handle disclosures in a timely manner. It's very important to follow the above process for vulnerabilities to be handled quickly and effectively.