- Off-chain solver code in this repository
- Evidence generation and hashing logic
- Receipt generation logic
- Configuration and secret handling
- Dependencies with known vulnerabilities
- On-chain contracts (see
irsb-protocolrepo) - Third-party services and APIs
- Social engineering attacks
- Denial of service without security impact
Do not open a public GitHub issue for security vulnerabilities.
To report a vulnerability:
- Email: Send details to the maintainers directly (see CODEOWNERS or repo settings)
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Target |
|---|---|
| Initial response | 48 hours |
| Severity assessment | 72 hours |
| Fix timeline provided | 7 days |
| Public disclosure | After fix is released |
| Version | Supported |
|---|---|
| 0.x (current) | Yes |
No bug bounty program is currently active.
This is a reference implementation in early development. We appreciate responsible disclosure and will credit reporters in release notes (with permission).
This project follows these security practices:
- No secrets in code — all credentials via environment variables
- Dependency scanning — CodeQL analysis on every PR
- Evidence integrity — SHA-256 hashes for all artifacts
- Fail-fast validation — strict config validation on startup
- Audit logging — structured logs with correlation IDs
We follow coordinated disclosure:
- Reporter contacts maintainers privately
- We assess and develop a fix
- Fix is released
- Public disclosure with credit (if desired)
Thank you for helping keep IRSB Solver secure.