SolidScript is pre-1.0. Security fixes are applied to the latest minor (0.x). Older versions are not patched.

Do not open a public issue. Use GitHub's private security advisory flow:

→ https://github.com/usezoracle/SolidScript/security/advisories/new

What to include:

• A clear description of the issue
• Reproduction steps (or a minimal example contract that triggers it)
• The SolidScript version (solidscript --version)
• Your OS + Node version

What to expect:

• Acknowledgement within 72 hours
• Triage assessment within 7 days
• Coordinated disclosure timeline agreed before any public patch
• Credit in the release notes (unless you prefer to stay anonymous)

In scope:

• Vulnerabilities in the solidscript npm package itself — transpiler bugs, validator bypasses, deploy-pipeline issues that could compromise user keys or generated bytecode
• Supply-chain risks in our published tarball
• Issues with the local browser-deploy HTTP bridge (localhost:7654)

Out of scope:

• Vulnerabilities in contracts written with SolidScript — your contract logic is your responsibility, and our 9-gate pipeline narrows the surface but does not eliminate it
• Issues in the underlying tools we orchestrate (solc, Slither, Mythril, forge, anvil, viem, OpenZeppelin) — report those upstream
• Theoretical attacks that require attacker-controlled access to the user's local filesystem or wallet extension

We aim for coordinated disclosure. Default timeline once a fix is ready:

• Critical: patch released within 7 days, advisory published immediately after
• High: patch within 14 days
• Medium / Low: rolled into the next regular release with a CHANGELOG note

If a vulnerability is already being exploited in the wild, we ship the patch first and disclose immediately.