We provide security updates for the following versions of VRFCall:

We take the security of VRFCall seriously. If you discover a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via one of the following methods:

1. Email: Send an email to the project maintainer with details about the vulnerability
2. Private Security Advisory: If you have access, create a private security advisory on GitHub

When reporting a security vulnerability, please include:

• Description: A clear description of the vulnerability
• Impact: The potential impact of the vulnerability
• Steps to Reproduce: Detailed steps to reproduce the issue (if applicable)
• Proof of Concept: Any code or examples that demonstrate the vulnerability (if safe to share)
• Suggested Fix: Any ideas for how the vulnerability could be fixed (optional)

• Acknowledgment: You will receive an acknowledgment within 48 hours
• Initial Assessment: We will provide an initial assessment within 7 days
• Updates: We will keep you informed of our progress
• Resolution: We will work to resolve the issue as quickly as possible

• We will work with you to understand and resolve the issue quickly
• We will credit you for the discovery (unless you prefer to remain anonymous)
• We will not disclose the vulnerability publicly until a fix is available
• We will coordinate with you on the disclosure timeline

When using VRFCall, please follow these security best practices:

• ⚠️ Never commit private keys or account information to version control
• 🔒 Store private keys securely using the keyring system
• 🚫 Do not share private keys or account credentials
• 🔐 Use strong passphrases for keyring encryption

• 🔒 Use HTTPS/TLS when connecting to remote blockchain nodes
• 🛡️ Verify the authenticity of blockchain endpoints
• 🚫 Avoid connecting to untrusted blockchain nodes
• 🔐 Consider using VPN or secure networks for production deployments

• 🔑 Use separate accounts for development and production
• 💰 Never use accounts with significant funds for testing
• 🔄 Regularly rotate keys and update credentials
• 📝 Monitor account balances and transactions

• ✅ Keep dependencies up to date
• 🔍 Review code changes before deployment
• 🧪 Test changes in a safe environment first
• 📦 Use official and verified packages

• 🔐 Store sensitive configuration in environment variables
• 🚫 Never hardcode credentials in source code
• 📝 Use .env files with proper .gitignore rules
• 🔒 Restrict access to configuration files

• Transactions are irreversible once confirmed
• Always verify transaction parameters before broadcasting
• Double-check recipient addresses and amounts
• Monitor gas limits to prevent failed transactions

• Seed data should be kept confidential
• Use cryptographically secure random sources when generating seeds
• Do not reuse seeds across different operations
• Validate seed data before use

• ECDSA signature components (R, S) should be kept secure
• Never expose private keys or signature generation details
• Verify signatures before accepting them
• Use secure random number generation for nonces

Security updates will be:

• Released as soon as possible after discovery
• Documented in release notes
• Tagged with appropriate security labels
• Communicated to users through GitHub releases

• Cosmos SDK Security
• Go Security Best Practices
• OWASP Top 10

For security-related questions or concerns, please contact:

• Project Maintainer: Aakash
• Website: aakash4dev.com

Thank you for helping keep VRFCall secure! 🔒