The 1.0 release will define a long-term-support window. Until then, only the latest 0.x minor is supported.

If you believe you have found a security vulnerability in this package, please do not file a public GitHub issue. Instead, email security@blocksign.ink with:

• A description of the vulnerability and its impact.
• Steps to reproduce, including a minimal proof of concept where possible.
• Your name and contact information, if you would like credit in the advisory.

We aim to:

• Acknowledge your report within 3 business days.
• Provide a preliminary assessment within 7 business days.
• Issue a fix and coordinated advisory within 90 days for high-severity issues, or sooner for actively exploited issues.

In scope:

• Bugs in blocksign-verify that cause a verified verdict to be returned for a tampered document, or a tampered verdict for an untampered one.
• Bugs in stamp deserialization that allow attacker-controlled bytes to reach unsafe code paths (prototype pollution, RCE via dependency, etc.).
• Logic errors that allow a verifier to be tricked into reading the wrong Solana memo for a given PDF.

Out of scope:

• The XOR obfuscation step is not a confidentiality primitive. Reports that the protocol key is public, or that on-chain stamp metadata can be read by anyone, are not vulnerabilities — they are protocol design (see docs/PROTOCOL.md).
• Denial-of-service against a self-hosted verifier process by passing oversized inputs.
• Vulnerabilities in transitive dependencies that are not exploitable through this package's API.

We will work with you on a disclosure timeline that gives users time to upgrade. We prefer to publish a GitHub Security Advisory and request a CVE ID once a fix is available.