| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
OP-VM has been professionally audited by Verichains.
Audit reports and findings are available in the AUDIT directory.
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to the maintainers via the OP_NET contact channels
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Assessment: We will assess the vulnerability and determine its severity
- Updates: We will keep you informed of our progress
- Resolution: We aim to resolve critical vulnerabilities as quickly as possible
- Credit: With your permission, we will credit you in the security advisory
The following are in scope for security reports:
- OP-VM core runtime vulnerabilities
- Memory safety issues
- Gas metering bypasses
- Sandbox escapes
- Cryptographic weaknesses
- Denial of service attacks that require significant resources
- Issues in dependencies (please report these to the respective projects)
- Issues that require physical access to the machine
When using OP-VM in production:
- Always use the latest stable release
- Keep dependencies up to date
- Run the VM in a sandboxed environment
- Monitor for unusual resource consumption
- Follow the principle of least privilege
Security updates will be released as patch versions (e.g., 1.0.1, 1.0.2) and announced through:
- GitHub Releases
- GitHub Security Advisories
- The OP_NET website