If you discover a security vulnerability in MIESC, please report it responsibly.
DO NOT open a public GitHub issue for security vulnerabilities.
- Email: Send details to fboiero@frvm.utn.edu.ar
- Subject:
[SECURITY] MIESC - Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
| Action | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix development | Within 30 days |
| Public disclosure | After fix is released |
In scope:
- MIESC framework code (
src/,miesc/) - Docker images (
docker/) - GitHub Action (
action.yml) - Web dashboard (
webapp/) - LLM prompt injection in security analysis pipeline
Out of scope:
- Third-party tools (Slither, Mythril, etc.) — report to their maintainers
- Vulnerabilities in contracts being analyzed (that's what MIESC detects)
| Version | Supported |
|---|---|
| 5.1.x | Yes |
| < 5.0 | No |
We acknowledge security researchers who responsibly disclose vulnerabilities in our CONTRIBUTORS.md and release notes.
MIESC follows these security practices:
- Pre-commit hooks: Bandit (SAST), detect-secrets, Ruff
- CI/CD: Semgrep, pip-audit, safety checks
- Dependencies: Weekly vulnerability scanning
- Docker: Non-root user, minimal base image
- LLM: Local-first (Ollama), prompt sanitization