Skip to content

Security: RetailDAO/Docs

SECURITY.md

Security Policy

Overview

At RetailDAO, we take the security of our systems, applications, and community seriously. This document outlines how to report security vulnerabilities and which versions of our software are supported with security updates. Thank you for helping us keep RetailDAO secure.

Supported Versions

The following versions of RetailDAO’s software are currently supported with security updates. Unsupported versions will not receive patches, so we recommend upgrading to a supported version.

Version Supported
0.0.1
< 0.0.1

Reporting a Vulnerability

If you discover a security vulnerability in any RetailDAO project, please report it promptly and responsibly. We appreciate your efforts to disclose issues securely and will work with you to address them.

How to Report

  • Use the GitHub Security Advisory: Report vulnerabilities directly through GitHub’s Security Advisory feature for the relevant repository.
  • Include Details: Provide a clear description of the vulnerability, steps to reproduce it, potential impact, and any suggested fixes. If possible, include logs, screenshots, or proof-of-concept code.
  • Encrypt if Necessary: For sensitive reports, use our public PGP key (available upon request via the above email) to encrypt your message.

What to Expect

  • Acknowledgment: We’ll confirm receipt of your report within 24-48 hours.
  • Updates: Expect progress updates every 5–7 business days or as significant developments occur.
  • Validation: We’ll assess the vulnerability’s impact and validity. If accepted, we’ll work on a fix and coordinate a responsible disclosure timeline. If declined (e.g., out-of-scope or not reproducible), we’ll explain why.
  • Disclosure: We aim to release fixes within 30–60 days, depending on severity. We’ll credit you in the advisory (unless you prefer anonymity) once the issue is public.
  • Response Time: Critical issues (e.g., remote code execution) are prioritized for immediate action, while lower-severity issues may take longer.

Scope

  • In-Scope: Vulnerabilities in RetailDAO’s public repositories, smart contracts, APIs, or web applications under our control.
  • Out-of-Scope: Third-party dependencies (report to their maintainers), social engineering, or denial-of-service attacks.

Responsible Disclosure

Please do not publicly disclose the vulnerability until we’ve had a chance to address it. We’ll collaborate with you to ensure a coordinated release of the fix and advisory.

Security Best Practices

  • Keep your dependencies up-to-date.
  • Use supported versions of our software.
  • Monitor our repositories for security advisories and updates.

Contact

For questions or assistance, reach out via Discord or open an issue in our main repository.

Thank you for helping protect RetailDAO and our community!

There aren't any published security advisories