|
| 1 | +# Security policy |
| 2 | + |
| 3 | +## Security status |
| 4 | + |
| 5 | +This repository contains reference and proof-of-concept code: the TrUAPI protocol |
| 6 | +definitions (Rust traits and types), the codegen toolchain, the generated TypeScript |
| 7 | +client, and an interactive playground. It is intended for reference and |
| 8 | +experimentation, not as a production-ready artefact. |
| 9 | + |
| 10 | +Unless a specific release states otherwise, this repository has **not** received a full |
| 11 | +security audit. Use in production or production-like deployments should only follow an |
| 12 | +independent security review of the relevant code, configuration, generated output, and |
| 13 | +deployment environment. |
| 14 | + |
| 15 | +Even where no Parity-operated production deployment exists today, this code may be used |
| 16 | +by third parties on live networks, or reused in future production contexts once |
| 17 | +published. |
| 18 | + |
| 19 | +## Supported versions |
| 20 | + |
| 21 | +Security fixes are provided only for versions, packages, or branches actively maintained |
| 22 | +by Parity. Experimental, archived, deprecated, or explicitly-unsupported packages, |
| 23 | +examples, or branches may not be triaged unless the issue affects maintained packages, |
| 24 | +Parity-operated infrastructure, user funds, private keys, signing flows, or transaction |
| 25 | +integrity. |
| 26 | + |
| 27 | +## Bug bounty scope |
| 28 | + |
| 29 | +This repository is **not** in scope for Parity's paid bug bounty programme unless |
| 30 | +explicitly listed in the official bounty scope at the time of submission. Reports may |
| 31 | +still be reviewed through responsible disclosure, but bounty eligibility applies only |
| 32 | +where the affected asset or vulnerability class is explicitly in scope. |
| 33 | + |
| 34 | +## What to report |
| 35 | + |
| 36 | +Report an issue only if it demonstrates realistic impact against one or more of: |
| 37 | + |
| 38 | +- Parity-operated production infrastructure or deployed services; |
| 39 | +- maintained SDK packages downstream users are expected to consume; |
| 40 | +- user funds or assets; |
| 41 | +- private keys, seed phrases, signer flows, or key-management boundaries; |
| 42 | +- transaction construction, integrity, or signing intent; |
| 43 | +- remote code execution or credential compromise in a realistic deployment. |
| 44 | + |
| 45 | +## Out of scope (unless shown to cause realistic high-impact harm) |
| 46 | + |
| 47 | +Local-development-only issues; demo/example/testnet-only issues; missing security headers |
| 48 | +on non-production demos; missing rate limiting in local examples; dependency reports |
| 49 | +without a working exploit path or that don't affect shipped packages; hypothetical attack |
| 50 | +paths; "this code is unaudited"; documented known limitations; unsafe SDK use contrary to |
| 51 | +documented warnings; issues requiring access to internal Parity systems not in scope. |
| 52 | + |
| 53 | +## Reporting a qualifying issue |
| 54 | + |
| 55 | +Do **not** open a public issue for a qualifying vulnerability. Email |
| 56 | +**security@parity.io** with: |
| 57 | + |
| 58 | +- the affected repository, package, commit, branch, or release; |
| 59 | +- clear reproduction steps and realistic impact; |
| 60 | +- whether it affects production infrastructure, maintained packages, user funds, keys, |
| 61 | + signing, or only local/demo/testnet usage; |
| 62 | +- any proof of concept, logs, or generated code involved; |
| 63 | +- assumptions required for exploitation. |
| 64 | + |
| 65 | +## Researcher expectations |
| 66 | + |
| 67 | +Don't access, modify, or delete data that isn't yours; don't disrupt services; don't |
| 68 | +extract keys or secrets beyond what's needed to demonstrate impact safely; don't test |
| 69 | +against production systems not in scope; no social engineering or physical attacks; don't |
| 70 | +disclose publicly until Parity has had a reasonable opportunity to remediate. |
| 71 | + |
| 72 | +## Safe-use guidance |
| 73 | + |
| 74 | +Before any production or production-like deployment, review at minimum: how |
| 75 | +keys/seeds/signers are generated, stored, and destroyed; whether signing prompts display |
| 76 | +transaction intent before approval; whether transactions are built against the intended |
| 77 | +chain/account/network; whether generated apps default to testnet/devnet; whether storage |
| 78 | +assumptions are appropriate; whether any cloud or statement-store data is |
| 79 | +public/private/encrypted; whether examples rely on internal/test/unstable endpoints; |
| 80 | +whether dependencies are pinned and reviewed; whether generated code has been manually |
| 81 | +reviewed before execution; and whether deployment configuration, CORS, auth, admin |
| 82 | +routes, logging, and telemetry suit the intended environment. |
0 commit comments