| Version | Supported |
|---|---|
| 1.x.x | ✅ |
If you discover a security vulnerability in Shogun Relay, please report it responsibly:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email security concerns to the maintainers directly
- Include as much detail as possible:
- Type of vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Initial Response: Within 48 hours
- Assessment: Within 1 week
- Fix Timeline: Depends on severity
- Critical: 24-48 hours
- High: 1 week
- Medium: 2 weeks
- Low: Next release
This project implements several security measures:
- Timing-safe token comparison (prevents timing attacks)
- SHA-256 hashed admin tokens
- Rate limiting on failed attempts
- Nonce-based replay attack prevention
- Atomic balance operations with locking
- Signature verification on all withdrawals
- Frozen-data pattern for immutable balance records
- EIP-3009 signature verification
- Time-window validation
- Nonce tracking to prevent replay
- Internal code review completed
- External security audit pending
- Formal verification (planned)
Currently, we do not have a formal bug bounty program. However, responsible disclosure of significant security issues will be acknowledged in release notes.