We take security issues seriously and appreciate your efforts to responsibly disclose any vulnerabilities you find. This document provides guidelines on how to report security issues to the PeoPay-Core team and what you can expect from us in return.

We recommend using the latest version of the contracts and dependencies. Security fixes are generally applied to the main branch and later integrated into releases.

If you believe you have found a security vulnerability in PeoPay-Core contracts or related code, please do not disclose it publicly. Instead, follow these steps:

1. Contact the Team Privately:

   • Send an email to [email protected] with the subject line: "Security Vulnerability: [Short Description]".
   • Include as many details as possible: steps to reproduce, contract addresses, specific lines of code if possible, and any exploit scenario you envision.
   • If your report contains sensitive information (e.g., private keys or user data), please use encrypted communication methods. We can provide a PGP key upon request.

2. Provide Detailed Information:

   • Explain the type of vulnerability (e.g., reentrancy, integer overflow, incorrect access control).
   • Include proof-of-concept code if available.
   • Suggest any potential fixes or mitigations if you have ideas.

3. Await Response:

   • You will receive an acknowledgment within 72 hours confirming receipt of your report.
   • The team may request additional information or clarifications to reproduce and understand the issue fully.

• Confidentiality:
  We will keep your identity and the details of your report confidential until we have a solution or until we mutually agree on public disclosure.

• Response Timeline:
  Our goal is to investigate and address security issues promptly. After confirming the vulnerability, we will work on a fix or mitigation plan. This may involve:

  • Deploying a patch to main.
  • Notifying impacted users or ecosystem participants.
  • Coordinating a responsible disclosure timeline that all parties agree upon.

• Disclosure Policy: We prefer coordinated disclosure. Once a fix is implemented and tested, we will work with you to set a public disclosure date. If we cannot address the issue promptly, we will keep you informed of our progress and expected timelines.

• While we do not have a formal bug bounty program at this time, we greatly appreciate your responsible disclosure. If and when a bug bounty program is introduced, we will publish details and guidelines. Your contribution will not be forgotten, and we may publicly acknowledge and thank individuals who help improve the security of the ecosystem, with their permission.

If you discover a vulnerability, please do not post it publicly or share details with others until it has been resolved and publicly disclosed by the team. Premature public disclosure could harm users and the ecosystem.

• Email: [email protected]
• For general inquiries or non-sensitive issues, open a GitHub Issue on the repository or join our community channels.

Your vigilance and cooperation in maintaining the security of PeoPay-Core and its ecosystem is greatly appreciated.