The StarkEd team takes the security of the platform seriously. Because StarkEd handles educational credentials and on-chain assets, we appreciate the work of security researchers and the community in keeping our users safe.
StarkEd is currently in active alpha development. Security fixes are applied to the latest
release and the main branch.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, report them privately through one of the following channels:
- Email:
security@starked-education.org - GitHub Private Vulnerability Reporting: Use the Report a vulnerability button on the repository's Security tab.
To help us triage quickly, please include as much of the following as you can:
- A description of the vulnerability and its potential impact.
- The affected component (contracts, backend, frontend, or CI/CD) and version or commit.
- Step-by-step instructions to reproduce the issue.
- Proof-of-concept code or screenshots, if available.
- Any suggested remediation.
- We will acknowledge your report within 3 business days.
- We will provide an initial assessment within 7 business days.
- We will keep you informed of our progress toward a fix.
- We will credit you in the release notes once the issue is resolved, unless you prefer to remain anonymous.
We follow a coordinated disclosure process:
- You report the vulnerability privately.
- We confirm the issue and determine its severity.
- We develop and test a fix.
- We release the fix and publish a security advisory.
- Public disclosure happens after a fix is available, typically within 90 days of the initial report.
Please give us a reasonable opportunity to address the issue before any public disclosure.
The following are in scope for security reports:
- Smart contract logic in
contracts/. - Backend API and authentication in
backend/. - Frontend application and wallet integration in
frontend/. - CI/CD configuration and secrets handling in
.github/.
The following are generally out of scope:
- Vulnerabilities in third-party dependencies that are already publicly disclosed (these
are tracked via Dependabot and
npm audit/cargo audit). - Issues requiring physical access to a user's device.
- Social engineering of StarkEd staff or users.
- Denial-of-service attacks.
This repository runs automated security checks on every push and pull request:
- CodeQL static analysis (SAST) for JavaScript/TypeScript and Rust.
- npm audit and cargo audit dependency vulnerability scanning.
- Gitleaks secret scanning to prevent committed credentials.
- Trivy filesystem/dependency vulnerability scanning.
- Dependency Review on pull requests.
- Dependabot weekly automated dependency updates.
See .github/workflows/security.yml and .github/workflows/ci.yml for details.
- Never commit secrets, API keys, private keys, or
.envfiles. Use.env.examplefor placeholders. - Run
npm audit(backend/frontend) andcargo audit(contracts) before opening a PR. - Validate and sanitize all user input on the backend.
- Follow the principle of least privilege for credentials and access tokens.
Thank you for helping keep StarkEd and its users secure.