We take security seriously and welcome good-faith reports. Thank you for helping keep FintraDex users and operators safe. 🛡️

Do NOT open public GitHub issues for vulnerabilities.

Preferred channels:

• GitHub “Report a vulnerability” (Private Vulnerability Reporting), if enabled on this repo.
• Email: security@fintradex.io (PGP available below)

Acknowledgment target: ≤ 48 hours
Status update target: ≤ 7 days

• Clear description and impact
• Affected components (paths, pallet names, runtime/node version, tag/commit)
• Minimal reproduction steps and any required configuration
• PoC or logs (if available)
• Suggested severity and CVSS vector (optional)

We will not pursue legal action or enforcement against researchers who:

• Make a good-faith effort to follow this policy,
• Avoid privacy violations, data destruction, and service disruption,
• Do not access, modify, or transfer funds/secrets,
• Report promptly and do not misuse vulnerabilities,
• Conduct testing on local/testnet unless we explicitly authorize mainnet testing.

If unsure whether your approach is permitted, email security@fintradex.io first.

Allowed

• Local/dev nodes and testnets
• Read-only probing; non-destructive fuzzing
• Using your own test accounts and tokens

Not allowed

• Impacting mainnet funds or user data
• Denial of Service against public RPCs/collators/validators
• Social engineering, phishing, or physical attacks
• Excessive automated scanning that degrades service

In scope

• Parachain runtime & pallets (/runtime, /pallets)
• Node implementation (/node, networking, RPC)
• Cross-chain glue & interfaces (XCM / ISMP / Hyperbridge)
• CI/CD build scripts that produce chain artifacts
• Public endpoints we operate (e.g., RPC/bootnodes), where applicable

Out of scope

• Third-party dependencies (please report upstream; notify us if it affects us)
• Issues requiring physical access to user devices
• Social engineering
• DoS findings that do not cause lasting impact
• Purely testnet-only issues without plausible mainnet impact (still appreciated; typically triaged lower)

We aim to provide a status update within 7 days of acknowledgment.

1. Acknowledge receipt (≤ 48h).
2. Triage & assess impact/severity (may request more info).
3. Mitigate & fix; prepare tests and backports if needed.
4. Operator coordination (if chain-critical):
   • Embargoed notice to collators/validators,
   • Signed runtime/node release and upgrade guidance,
   • Rollout and network-health verification.
5. Coordinated disclosure with reporter; publish a GitHub Security Advisory and changelog notes.
6. Credit the reporter (Hall of Fame), unless anonymity is requested.

We use a coordinated disclosure model.
Default embargo for critical issues: up to 90 days (shortened/extended based on exploitation risk and fix complexity).

Primary Contact: security@fintradex.io

For highly sensitive vulnerabilities, we offer multiple secure communication channels:

Create a private security advisory directly on GitHub:

• Link: Create Private Security Advisory
• Benefits: Structured reporting, private until disclosed, built-in collaboration

For real-time sensitive discussions:

• Signal/Telegram: Contact us via email first to exchange secure messaging details
• Encrypted Email: ProtonMail and other encrypted providers accepted

• We'll respond within 48 hours to arrange secure communication if needed
• For critical vulnerabilities, we can set up an immediate secure channel

• Do not commit secrets (keys, passwords, tokens).
• Run local checks regularly:
  • cargo fmt / cargo clippy -D warnings
  • cargo audit for Rust dependency advisories
  • gitleaks to catch secrets in git history
• Request a security review for changes touching:
  • consensus, balances, or asset movement,
  • order-matching/settlement logic,
  • ZK/proof verification,
  • cross-chain logic (XCM/ISMP/Hyperbridge).

• Pre-mainnet: third-party audit planned; report published post-remediation.
• Post-mainnet: periodic audits; targeted reviews for ZK/Risc0 components and cross-chain integrations.

Audit reports will be published publicly after remediation.

If you operate fintradex.io, consider publishing /.well-known/security.txt:

Contact: mailto:security@fintradex.io
Policy: https://github.com/fintradev/fintradex/blob/main/SECURITY.md
Encryption: https://github.com/fintradev/fintradex/raw/main/PGP_PUBLIC_KEY.asc
Preferred-Languages: en

• Security: security@fintradex.io
• General: team@fintradex.io
• Website: https://fintradex.io