Security

Report a vulnerability

SECURITY.md

Coordinated Vulnerability Disclosure Policy

IMPORTANT: DO NOT open public issues on this repository for security vulnerabilities.

Canonical Policies

Our canonical policies are maintained here:

Security Policy (reporting process, scope, disclosure standards):
https://github.com/cosmos/security/blob/main/SECURITY.md
Release & Maintenance Policy (supported versions, lifecycle, EOL):
https://github.com/cosmos/security/blob/main/POLICY.md
HackerOne Bug Bounty Program:
https://hackerone.com/cosmos

All vulnerability scope, supported versions, lifecycle timelines, and reporting procedures are governed by the Security Policy and Release & Maintenance Policy linked above.

Reporting a Vulnerability

Security vulnerabilities must be reported via:

HackerOne: https://hackerone.com/cosmos

Please refer to the Security Policy for full reporting and disclosure details.

ISA-2025-005: Integer Overflow in Cosmos SDK
GHSA-p22h-3m2v-cmgh published Jul 8, 2025 by technicallyty

High
ISA-2025-002: x/group can halt when erroring in EndBlocker
GHSA-47ww-ff84-4jrg published Mar 12, 2025 by aljo242

High
ASA-2025-003: Groups module can halt chain when handling a malicious proposal
GHSA-x5vx-95h7-rv4p published Feb 20, 2025 by aljo242

High
ASA-2024-0012, ASA-2024-0013: CosmosSDK: Transaction decoding may result in a stack overflow or resource exhaustion
GHSA-8wcc-m6j2-qxvm published Dec 16, 2024 by julienrbrt

High
ASA-2024-010: cosmossdk.io/math: Mismatched bit-length validation in sdk.Int and sdk.Dec can lead to panic
GHSA-7225-m954-23v7 published Nov 20, 2024 by julienrbrt

High
ASA-2024-006: ValidateVoteExtensions helper function may allow incorrect voting power assumptions
GHSA-95rx-m9m5-m94v published Mar 12, 2024 by mizmo18

High
ASA-2024-002: Default `PrepareProposalHandler` may produce invalid proposals when used with default `SenderNonceMempool`
GHSA-2557-x9mg-76w8 published Feb 20, 2024 by mizmo18

Moderate
ASA-2024-003: Missing `BlockedAddressed` Validation in Vesting Module
GHSA-4j93-fm92-rp4m published Feb 20, 2024 by mizmo18

Moderate
ASA-2024-005: Potential slashing evasion during re-delegation
GHSA-86h5-xcpx-cfqc published Feb 27, 2024 by mizmo18

Low
ASA-2023-001: Cosmovisor
GHSA-23px-mw2p-46qm published Sep 6, 2023 by jessysaurusrex

Moderate

Learn more about advisories related to cosmos/cosmos-sdk in the GitHub Advisory Database