Please see Releases. We recommend using the most recently released version.
| Version | Supported |
|---|---|
| Latest | Yes |
| Older | No |
Please do not file a public issue for security vulnerabilities.
To report a vulnerability, email security@altresear.ch with:
- Description of the vulnerability
- Steps to reproduce
- Affected package(s) and version
- Potential impact assessment
| Stage | Timeline |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 1 week |
| Fix development | Depends on severity |
| Public disclosure | After fix is released |
- EVM interpreter vulnerabilities (
core/vm/) - State transition bugs (
core/,geth/) - Cryptographic implementation issues (
crypto/,crypto/pqc/) - Consensus logic errors (
consensus/) - P2P protocol vulnerabilities (
p2p/) - Engine API security issues (
engine/) - Transaction pool manipulation (
txpool/)
- Issues in reference submodules (
refs/) — report these to their upstream projects - Issues requiring physical access to the machine
- Social engineering attacks
- Denial of service through expected resource usage
We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Make a good faith effort to avoid data destruction and service disruption
- Do not access or modify data belonging to others
- Act in good faith to avoid degrading our services
We commit to:
- Acknowledging your report promptly
- Keeping you informed of our progress
- Crediting you (if desired) when we publish the fix
- Not pursuing legal action against good-faith security researchers