Always run the latest minor version.

Please DO NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Report privately by emailing security@groundstate.network (once configured) or by contacting a maintainer directly via an encrypted channel.

You should receive a response within 48 hours. If you do not, please follow up to make sure the message was received.

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment (what can an attacker do?)
• Suggested fix (if you have one)
• Whether you want public credit after disclosure

GroundState runs a bug bounty program. See BOUNTIES.md for reward tiers:

Payouts are made from the Community Development Fund (treasury) after fix deployment and coordinated disclosure.

We follow a coordinated disclosure timeline:

1. Day 0 — You report privately
2. Day ≤ 2 — We acknowledge your report
3. Day ≤ 30 — Fix developed, tested, deployed
4. Day ≤ 60 — Coordinated public disclosure

Complex issues may need a longer timeline. We will communicate clearly if so.

• Consensus bugs (double-spend, inflation beyond max supply, chain halt)
• Cryptographic vulnerabilities (signature forgery, hash collisions, PQ weaknesses)
• Remote code execution in the node binary
• Denial of service with low-cost attack (asymmetric cost)
• Authentication/authorization bypasses
• Vulnerabilities enabling supply-chain attacks on the build system
• Privilege escalation within the node

• Social engineering of the team or users
• Issues requiring physical access to the attacker's own machine
• Issues in deprecated versions (< 0.5)
• Self-DoS (attacker can only crash their own node)
• Missing security headers on unrelated websites
• Weak password enforcement in a user's own wallet
• Issues with third-party services we do not control (Akash, Docker Hub, etc.)

Some deliberate architectural choices have security tradeoffs:

• RPC has no authentication. Operators are expected to firewall port 16210. Defaults bind to 127.0.0.1 to make this safe by default.
• P2P uses libp2p gossipsub which has known DoS vectors through message amplification. We apply peer scoring to mitigate.
• Single seed node at bootstrap. We are actively decentralizing — see SEEDS.md and contribute yours.

We are grateful to the security research community. Contributors to past security improvements (reproduction-of-vulnerabilities is equally valuable as original discovery) are listed in CHANGELOG.md.