Security vulnerabilities should be disclosed to the project maintainers through Discord, or alternatively via telegram.
At this time there is no active bug bounty for MACI.
Security vulnerabilities will be patched as soon as responsibly possible, and published as an advisory on this repository (see advisories) and on the affected npm packages.
Security patches will be released for the latest minor of a given major release. For example, if an issue is found in versions >=4.6.0 and the latest is 4.8.0, the patch will be released only in version 4.8.1.
Only critical severity bug fixes will be backported to past major releases.
| Version | Critical security fixes | Other security fixes |
|---|---|---|
| 4.x | ✅ | ✅ |
| 3.4 | ✅ | ❌ |
| 2.5 | ✅ | ❌ |
| < 2.0 | ❌ | ❌ |
MACI is made available under the MIT License, which disclaims all warranties in relation to the project and which limits the liability of those that contribute and maintain the project, including the Ethereum Foundation (EF). You are solely responsible for any use of MACI and you assume all risks associated with any such use. This Security Policy in no way evidences or represents an on-going duty by any contributor, including the EF, to correct any flaws or alert you to all or any of the potential risks of utilizing the project.