Security vulnerabilities should be disclosed by email to security@openzeppelin.com.
To make your support policy require less maintenance, you can simplify the table and description by automatically tying support to the most recent major version. Here’s a revised version:
Only the latest major version is supported and receives security updates. Alpha, Beta, and Release Candidate versions are not supported.
Security patches are released for the latest minor and patch version of the current major release.
Only critical severity bug fixes may be backported to earlier major versions.
| Version | Supported |
|---|---|
| Latest major | ✅ |
| Older majors | ❌ |
We're extremely grateful for security researchers and users that report vulnerabilities to us. All reports are thoroughly investigated by the project's security team.
Vulnerabilities are reported privately via GitHub's Security Advisories feature. Please use the following link to submit your vulnerability: Report a vulnerability
Please see Privately reporting a security vulnerability for more information on how to submit a vulnerability using GitHub's interface.
OpenZeppelin Soroban Security Detectors SDK is made available under the GNU AGPL 3.0 License, which disclaims all warranties in relation to the project and which limits the liability of those that contribute and maintain the project, including OpenZeppelin. Your use of the project is also governed by the terms found at www.openzeppelin.com/tos (the "Terms"). As set out in the Terms, you are solely responsible for any use of OpenZeppelin Soroban Security Detectors SDK and you assume all risks associated with any such use. This Security Policy in no way evidences or represents an on-going duty by any contributor, including OpenZeppelin, to correct any flaws or alert you to all or any of the potential risks of utilizing the project.