Only the latest main branch and the most recent release are supported with security fixes.

Older releases may not receive patches.

If you discover a security issue, do not open a public issue.

Please report it privately via GitHub Security Advisories:

• Go to: Security → Advisories → New draft advisory
• Or use the “Report a vulnerability” button on the Security tab

Include:

• a clear description of the issue
• affected components or configs
• minimal repro steps (if possible)
• potential impact (funds, state, availability, integrity)

Please avoid public disclosure until we have acknowledged and addressed the report.

This policy applies to:

• validator runtime behavior
• consensus / state handling
• RPC / API surfaces
• config parsing and defaults
• on-disk formats and migrations

We aim to:

• acknowledge reports within a few business days
• assess severity and impact promptly
• coordinate disclosure when appropriate

Thanks for helping keep the codebase safe and predictable.