Security reports are welcome for:

• API authentication and rate-limiting flaws
• secrets handling
• Solana transaction signing and publication flow
• dependency vulnerabilities
• supply-chain risks in provider ingestion
• data integrity issues that could materially affect published oracle values

Please do not open public GitHub issues for suspected vulnerabilities.

Report vulnerabilities to [email protected] with:

• a clear description of the issue
• affected files or packages
• reproduction steps or proof of concept
• impact assessment

If GitHub Security Advisories are enabled for the repository, private security reports through GitHub are also welcome.

• Initial acknowledgment: within 5 business days
• Triage decision: within 10 business days
• Remediation timeline: depends on severity and operational risk

We prefer coordinated disclosure. Once a fix is available and affected users have had a reasonable upgrade window, we will publish a public advisory when appropriate.