If you discover a security vulnerability in any w3-kit repository, please report it responsibly.

Do NOT open a public issue.

Instead, use GitHub's private vulnerability reporting on the affected repository.

• Description of the vulnerability
• Steps to reproduce
• Affected repository and version
• Potential impact

This policy covers all repositories in the w3-kit organization:

• cli
• registry
• config
• ui
• website
• learn
• contracts

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix or mitigation: depends on severity, typically within 30 days

For vulnerabilities in w3-kit/contracts, please note that these are educational templates, not production-deployed contracts. We still take security seriously and will address reported issues promptly.

We support the latest published version of each package. Older versions do not receive security patches.