evmsec is a security tool, so we hold its own security to a high bar — and we
care about two distinct things: vulnerabilities in this code, and the accuracy
of the answers it gives about on-chain systems.
Please do not open a public issue for security vulnerabilities.
Report privately via GitHub's
private vulnerability reporting
("Report a vulnerability" under the repository's Security tab). If that is
unavailable, contact the maintainer listed in package.json.
Please include:
- a description of the issue and its impact,
- steps to reproduce (a minimal command line or input is ideal),
- the version / commit you tested, and
- any suggested remediation.
We aim to acknowledge a report within 72 hours and to agree on a disclosure timeline with you. We support coordinated disclosure and will credit reporters who want it.
In scope:
- the CLI and library code in
src/, - the build/release pipeline and CI configuration,
- the bundled
bridges.jsonregistry only for correctness of cited addresses (a wrong escrow makes the tool lie — see below).
Out of scope:
- vulnerabilities in third-party RPC providers or upstream dependencies (report those upstream; we will bump once a fix is released),
- denial of service caused by pointing the tool at an unreliable or malicious RPC endpoint.
evmsec answers questions like "is this bridge fully backed?" and "is this
verifier quantum-vulnerable?" A security tool fed the wrong addresses lies
confidently. Two consequences:
- The bundled
bridges.jsonentries are illustrative. Every address must be verified against the bridge's own primary source before a result is trusted. A mis-attributed address in the registry is treated as a security-relevant bug — report it. - The
pq-readinessandupgradeabilitychecks are heuristics over deployed bytecode / storage slots, honestly scoped in the README. They are decision inputs, not proofs. If you find a case where the tool asserts a positive safety claim it cannot support, that is a bug we want to hear about.
The project is pre-1.0. Security fixes are applied to the latest release and the
master branch. Pin a commit or released version in production and watch
releases for advisories.