At RetailDAO, we take the security of our systems, applications, and community seriously. This document outlines how to report security vulnerabilities and which versions of our software are supported with security updates. Thank you for helping us keep RetailDAO secure.
The following versions of RetailDAO’s software are currently supported with security updates. Unsupported versions will not receive patches, so we recommend upgrading to a supported version.
| Version | Supported |
|---|---|
| 0.0.1 | ✅ |
| < 0.0.1 | ❌ |
If you discover a security vulnerability in any RetailDAO project, please report it promptly and responsibly. We appreciate your efforts to disclose issues securely and will work with you to address them.
- Use the GitHub Security Advisory: Report vulnerabilities directly through GitHub’s Security Advisory feature for the relevant repository.
- Include Details: Provide a clear description of the vulnerability, steps to reproduce it, potential impact, and any suggested fixes. If possible, include logs, screenshots, or proof-of-concept code.
- Encrypt if Necessary: For sensitive reports, use our public PGP key (available upon request via the above email) to encrypt your message.
- Acknowledgment: We’ll confirm receipt of your report within 24-48 hours.
- Updates: Expect progress updates every 5–7 business days or as significant developments occur.
- Validation: We’ll assess the vulnerability’s impact and validity. If accepted, we’ll work on a fix and coordinate a responsible disclosure timeline. If declined (e.g., out-of-scope or not reproducible), we’ll explain why.
- Disclosure: We aim to release fixes within 30–60 days, depending on severity. We’ll credit you in the advisory (unless you prefer anonymity) once the issue is public.
- Response Time: Critical issues (e.g., remote code execution) are prioritized for immediate action, while lower-severity issues may take longer.
- In-Scope: Vulnerabilities in RetailDAO’s public repositories, smart contracts, APIs, or web applications under our control.
- Out-of-Scope: Third-party dependencies (report to their maintainers), social engineering, or denial-of-service attacks.
Please do not publicly disclose the vulnerability until we’ve had a chance to address it. We’ll collaborate with you to ensure a coordinated release of the fix and advisory.
- Keep your dependencies up-to-date.
- Use supported versions of our software.
- Monitor our repositories for security advisories and updates.
For questions or assistance, reach out via Discord or open an issue in our main repository.
Thank you for helping protect RetailDAO and our community!