SCRT Labs uses GitHub to manage feature requests and bugs for Secret Network. This is done via GitHub Issues.
For a feature request, please create a GitHub issue. Clearly state your use case and what value it will bring to other users or developers on Secret Network.
If it is something that can be handled by a param change, discuss it on the forum, on Telegram or on Discord in #🏛governance
and consider a governance proposal.
For a bug that is non-sensitive and/or operational in nature rather than a critical vulnerability, please add it as a GitHub issue.
If it is not triaged in a couple of days, feel free to tag @reuvenpo
, @toml01
, @assafmo
or @Cashmaney
.
If you're here because you're trying to figure out how to notify us of a security issue, go to Discord or Telegram, and alert the core engineers:
Telegram | Discord | |
---|---|---|
Itzik | @Cashmaney3 |
Cashmaney#3500 |
Assaf | @assafmo |
assafmo#9483 |
Tom | @toml01 |
toml#7076 |
Reuven | @ReuvenPo |
Reuven | SCRT Labs#0732 |
Please avoid opening public issues on GitHub that contain information about a potential security vulnerability as this makes it difficult to reduce the impact and harm of valid security issues.
We ask security researchers to keep vulnerabilities and communications around vulnerability submissions private and confidential until a patch is developed. In addition to this, we ask that you:
- Allow us a reasonable amount of time to correct or address security vulnerabilities.
- Avoid exploiting any vulnerabilities that you discover.
- Demonstrate good faith by not disrupting or degrading Secret Network's services.
- Once a security report is received, the SCRT Labs development team works to verify the issue.
- Patches are prepared for eligible releases in private repositories.
- We notify the community that a security release is coming, to give users and node operators time to prepare their systems for the update. Notifications can include Telegram & Discord messages, tweets, and emails to partners and validators.
- Once the community is ready, the fixes are applied publicly, new releases are issued and the source code is made public.
- Then we will pay out any relevant bug bounties to submitters.
This process can take some time. Every effort will be made to handle the bug in as timely a manner as possible. However, it's important that we follow the process described above to ensure that disclosures are handled consistently and to keep Secret Network and the projects running on it secure.