| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We take security seriously at Rustchain. If you discover a security vulnerability, please follow responsible disclosure:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email your findings to the repository maintainers via GitHub's private vulnerability reporting
- Alternatively, reach out on Discord via DM to a maintainer
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Suggested fix (if any)
- Acknowledgment within 48 hours of your report
- Initial assessment within 1 week
- Resolution timeline communicated after assessment
- Credit in the security advisory (unless you prefer to remain anonymous)
Security-related contributions are eligible for RTC token rewards:
| Severity | Reward |
|---|---|
| Critical (consensus, funds at risk) | 100-150 RTC |
| High (data leak, auth bypass) | 75-100 RTC |
| Medium (DoS, logic error) | 20-50 RTC |
| Low (info disclosure, best practice) | 1-10 RTC |
The following are in scope for security reports:
- Consensus mechanism vulnerabilities
- Proof-of-Antiquity validation bypasses
- Hardware fingerprinting spoofing
- Solana bridge (wRTC) contract issues
- API authentication/authorization flaws
- Denial of service vectors
- Cryptographic weaknesses
- Social engineering attacks
- Issues in dependencies (report upstream)
- Issues requiring physical access to hardware
- Theoretical attacks without proof of concept
- Never commit API keys, tokens, or credentials
- Use environment variables for sensitive configuration
- Validate all user inputs
- Follow the principle of least privilege
- Keep dependencies up to date
We follow a 90-day coordinated disclosure policy. After a fix is deployed, we will publish a security advisory crediting the reporter.