Skip to content

docs: add SECURITY.md with vulnerability reporting guidelines #480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
phessophissy wants to merge 1 commit into
base: master
Choose a base branch
from
Open

docs: add SECURITY.md with vulnerability reporting guidelines #480

phessophissy wants to merge 1 commit into from

Conversation

@phessophissy
Copy link

@phessophissy phessophissy commented Jan 22, 2026

Summary

This PR adds a SECURITY.md file to consolidate security reporting guidelines.

Changes

Added SECURITY.md with:

  • Link to the Immunefi bug bounty program
  • Alternative email contact (security@0x.org)
  • What to include when reporting vulnerabilities
  • Responsible disclosure guidelines
  • Supported versions table

Motivation

Security information is currently spread across:

  • README.md (Immunefi link)
  • sh/initial_description_*.md files (email contact)

A root-level SECURITY.md file:

  • Is automatically recognized by GitHub and shown in the Security tab
  • Provides a single, discoverable location for security policy
  • Follows GitHub's security best practices
  • Makes it easier for security researchers to find reporting guidelines

@immunefi-magnus
Copy link

immunefi-magnus bot commented Jan 22, 2026

🛡️ Immunefi PR Reviews

We noticed that your project isn't set up for automatic code reviews. If you'd like this PR reviewed by the Immunefi team, you can request it manually using the link below:

🔗 Send this PR in for review

Once submitted, we'll take care of assigning a reviewer and follow up here.

@zakkycrypt01
Copy link

zakkycrypt01 commented Jan 23, 2026

Nice one man

duncancmt
duncancmt reviewed Jan 24, 2026
View reviewed changes
Copy link
Collaborator

@duncancmt duncancmt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

line wrap to 80 columns

SECURITY.md

0x hosts a bug bounty program on Immunefi:

**https://immunefi.com/bug-bounty/0x**
Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

please format this as a link

SECURITY.md
Comment on lines +22 to +34
### Alternative Contact

For security issues that may not qualify for the bug bounty, you can also contact:

**Email**: [security@0x.org](mailto:security@0x.org)

When reporting via email, please include:
- A detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- A proof-of-concept exploit (if possible)

Use the subject line: **"BUG BOUNTY"** or **"SECURITY VULNERABILITY"**
Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

reporting vulnerabilities over email is discouraged. please remove this section

SECURITY.md
Comment on lines +49 to +51
## Security Audits

0x Settler has undergone security audits. Audit reports can be found in the repository documentation.
Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

link to the audits directory

SECURITY.md
Please do NOT:
- Open a public GitHub issue for security vulnerabilities
- Disclose the vulnerability publicly before it has been addressed
- Exploit the vulnerability beyond what is necessary to demonstrate it
Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no. exploiting vulnerabilities is blackhat shit, even as a demonstration

SECURITY.md
Comment on lines +43 to +48
## Supported Versions

| Version | Supported |
| ------- | ------------------ |
| Latest | :white_check_mark: |

Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is pointless. remove it.

SECURITY.md
Comment on lines +53 to +55
## Security Contact

For general security inquiries: [security@0x.org](mailto:security@0x.org)
Copy link
Collaborator

@duncancmt duncancmt Jan 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove this.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@duncancmt duncancmt duncancmt left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@phessophissy @zakkycrypt01 @duncancmt