We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| Previous major versions | ✅ (for 6 months after new major release) |
If you discover a security vulnerability, please do not report it publicly. Instead, please follow these steps:
-
Email us directly at eng@mento.org with details about the vulnerability
-
Include as much information as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
We will acknowledge receipt of your report within 72 hours
-
We will provide an initial assessment within 7 days
-
We will keep you informed of our progress and resolution timeline
When reporting vulnerabilities, please:
- Do not create a public GitHub issue
- Do not discuss the vulnerability publicly until it has been resolved
- Do provide detailed information to help us understand and reproduce the issue
- Do allow us reasonable time to address the issue before public disclosure
- Initial Response: Within 72 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity:
- Critical: Immediate attention, fix within 24-48 hours
- High: Fix within 7 days
- Medium: Fix within 30 days
- Low: Fix in next scheduled release
We appreciate responsible disclosure and will acknowledge security researchers who help us improve the security of our project (with your permission).
Security updates will be released as soon as possible after a vulnerability is confirmed and fixed. We will:
- Release patches for supported versions
- Publish a security advisory on GitHub
- Credit the reporter (if desired)
Thank you for helping keep Mento Protocol secure!