We take the security of Cathedral seriously. We gratefully receive responsible vulnerability disclosures and will work with you to remediate issues promptly. Please note that the on-chain programs in apps/contracts have not yet undergone formal security audits; use them at your own risk and avoid deploying to production without an independent review.
We aim to support the latest release and the main branch. Older tags may not receive security fixes.
Please email lukema95@gmail.com with the following information:
- Description of the vulnerability and potential impact
- Steps to reproduce
- Any proof-of-concept code or screenshots
- Your contact details for follow-up
You can optionally encrypt your report using our PGP key (coming soon). Please do not open public GitHub issues for security reports.
We will acknowledge receipt within 3 business days and provide a status update at least every 7 business days until the issue is resolved.
- We confirm the issue and assess severity.
- If needed, we develop and test a fix.
- We coordinate a release and public advisory.
- We credit reporters who wish to be acknowledged.
Thank you for helping to keep Cathedral users safe!