Skip to content

Security: maple19out/transfer-lens

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please do not open a public issue for security problems.

  • Preferred: open a private report via GitHub → Security → Report a vulnerability (Private Vulnerability Reporting).
  • Or email maple19out@gmail.com with details and, if possible, steps to reproduce.

You'll get an acknowledgement as soon as practical. Since this is a solo-maintained project, please allow reasonable time for a fix before any public disclosure.

Scope

transfer-lens reads from Solana RPC/gRPC endpoints and writes to Postgres; it holds no funds and signs no transactions. The most relevant concerns are:

  • Credential handling — RPC/gRPC tokens and the Postgres URL live in .env / config/indexer.toml (both gitignored) or INDEXER__* env vars. Never commit real credentials. The config's Debug impls mask URLs and tokens to avoid leaking them in logs.
  • SQL safety — the configurable schema name is validated to [A-Za-z0-9_]+ and identifier-quoted; all row writes are parameterized. Reports of injection vectors are welcome.

Supported versions

The project is pre-1.0; only the latest main is supported. Fixes land on main rather than being backported.

There aren't any published security advisories