Security fixes are applied to the latest release on main and the most recent tagged release.
| Version | Supported |
|---|---|
main (latest) |
Yes |
| Latest tagged release | Yes |
| Older releases | Best effort |
Do not open a public GitHub issue for security vulnerabilities.
Report privately so we can investigate and patch before disclosure.
| Channel | Details |
|---|---|
| security@safrochain.com | |
| Subject | [safhandle-contract] Brief description |
| PGP | Available on request |
- Description of the vulnerability and impact
- Steps to reproduce or a proof of concept
- Affected contract code ID, address, or commit SHA
- Suggested fix (optional)
- Your contact information for follow-up
- Unauthorized name or phone registration (fee bypass, ownership hijack)
- Governance parameter manipulation outside authorized paths
- Resolution returning wrong
addr_safroaddresses - Phone number enumeration or privacy leaks
- Fee routing to incorrect accounts
- Migration logic that corrupts registry state
| Stage | Target |
|---|---|
| Initial acknowledgment | 2 business days |
| Severity assessment | 5 business days |
| Fix or mitigation plan | 15 business days (critical may be faster) |
| Coordinated disclosure | After patch is available |
- We practice coordinated disclosure.
- Credit is given in the advisory and
CHANGELOG.mdwhen desired. - Public disclosure should wait until a fix is deployed on-chain, unless the issue is already public.
Good-faith security research is welcome when it:
- Does not access data that is not yours
- Does not degrade service for other users
- Does not exploit findings beyond demonstrating impact
- Stops and reports when sensitive user data is discovered
We monitor dependencies via Dependabot and CI audits once Rust dependencies are added.