Please do not open a public GitHub issue for security vulnerabilities.
Email the maintainer directly at a.lacava@northeastern.edu with the subject prefix [SECURITY]. Include:
- A description of the vulnerability and its impact.
- Steps to reproduce (commands, configuration, sample inputs).
- The version / commit you tested against.
- Any suggested mitigation, if you have one.
You may use GitHub's private vulnerability reporting on the public mirror as an alternative.
This is a research library. Only the latest minor release on main is actively supported with security fixes.
| Version | Supported |
|---|---|
Latest main |
Yes |
| Older releases | No (please upgrade) |
- We aim to acknowledge reports within 7 calendar days.
- Critical issues are targeted for a fix within 30 days of acknowledgement; lower-severity issues are scheduled with the reporter.
- Disclosure is coordinated with the reporter. Reporters are credited in release notes unless they request otherwise.
In scope: code under this repository, its build/release pipeline, and its packaging on PyPI (dapps).
Out of scope: third-party dependencies (please report to the upstream project), infrastructure outside this repo, and issues that require attacker-controlled access to a host already running the dApp.