| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT disclose the vulnerability publicly until it has been addressed
- Email security findings to: security@7aylabs.com
- Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested remediation
| Phase | Timeline |
|---|---|
| Initial Response | Within 24 hours |
| Triage & Assessment | Within 72 hours |
| Patch Development | Severity dependent |
| Public Disclosure | After patch release |
| Severity | Description | Examples |
|---|---|---|
| Critical | Immediate network risk | Consensus bypass, fund theft |
| High | Significant impact | State corruption, DoS vectors |
| Medium | Limited impact | Information disclosure |
| Low | Minimal impact | Minor issues |
The 7aychain implementation enforces 78 protocol invariants (INV1-78) as defined in the PoP Specification. Key security invariants include:
- INV43: Chain binding for replay protection
- INV44: Key destruction attestation
- INV45: Discovery rate limiting
- INV46-49: Validator economic security
- INV57-60: Recovery and governance controls
- All code undergoes clippy analysis with strict security lints
- No
unsafecode without explicit security review - Saturating/checked arithmetic for all numeric operations
- Constant-time comparisons for cryptographic operations
| Audit | Status | Date |
|---|---|---|
| Internal Review | Ongoing | - |
| External Audit | Planned | TBD |
A bug bounty program will be announced prior to mainnet launch.
- Email: security@7aylabs.com
- PGP Key: Available upon request
Thank you for helping keep 7aychain secure.