The Tangle team takes the security of our project seriously. We appreciate the efforts of security researchers and our community to help us ensure our software is secure.
Please do not report security vulnerabilities through public GitHub issues.
We use GitHub's Private Vulnerability Reporting feature, which allows you to privately disclose a security vulnerability to the project maintainers.
- Go to the "Security" tab of the Tangle repository.
- Click on "Report a vulnerability" or go directly to
https://github.com/TangleML/tangle/security/advisories/new - Fill out the form with as much detail as possible, including:
- A description of the vulnerability.
- The component or code path affected.
- The version(s) affected.
- Steps to reproduce the issue or a proof-of-concept (PoC).
- Any potential impact (e.g., data exfiltration, denial of service).
If for any reason you cannot use GitHub's private reporting, you can send an email to our private security-list: [email protected]. Please use "Tangle Security Vulnerability" as the subject line.
When you report a vulnerability to us, we commit to the following:
- We will acknowledge your report within 5 business days.
- We will work with you to understand the issue and confirm its validity.
- We will provide a timeline for a fix and keep you updated on our progress.
- We will coordinate with you on a public disclosure and advisory. We will credit you for your discovery unless you prefer to remain anonymous.