From 7fb266a004a4fe4ad1f6ea205421c2d2054fffd3 Mon Sep 17 00:00:00 2001 From: "Pazent (aedsc)" Date: Thu, 28 May 2026 14:14:20 +0200 Subject: [PATCH] docs: add SECURITY.md with private disclosure policy Adds a minimal SECURITY.md so that researchers have a clear, non-public channel for reporting vulnerabilities. Uses GitHub's built-in Private Vulnerability Reporting feature, leaving any preferred email or PGP key to be added by maintainers as needed. Industry-standard 90-day disclosure window mentioned as a default, extendable at maintainers' discretion. --- SECURITY.md | 49 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..cf3c1ff --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,49 @@ +# Security Policy + +## Reporting a Vulnerability + +If you discover a security vulnerability in zenith, please report it +**privately** using GitHub's [Private vulnerability reporting][gh-psirt] +feature on this repository. + +Please do **not** open a public issue or pull request for security +findings — disclosing before a patch ships can put users and +integrators at risk. + +A useful report includes: + +- A description of the issue and the affected contract(s) / line(s) +- Steps to reproduce, or a proof-of-concept +- Your assessment of impact and which actors are affected + (users, fillers, sequencers, the sequencer admin) +- Any suggested remediation + +Maintainers will acknowledge reports and provide initial triage as +soon as practical. + +## Disclosure Timeline + +Responsible disclosure is appreciated. A typical industry-standard +window is 90 days between report and public disclosure, extendable +when a fix requires ecosystem coordination (e.g. fillers updating +off-chain infrastructure). + +## Scope + +In scope: + +- All contracts under `src/` + +Out of scope: + +- Issues in dependencies under `lib/` — please report upstream to the + respective project +- Test contracts under `test/` + +## Bug Bounty + +There is no formal bug bounty program at the time of this writing. +Researchers who follow this policy may be acknowledged in patch +release notes at the maintainers' discretion. + +[gh-psirt]: https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability