Only the current main branch and the latest tagged release are supported for
security updates.
Please do not open public issues for vulnerabilities.
Report privately by email to the maintainers listed in the organization profile, including:
- affected crate/app (
lotus-api,lotus-explorer,shared, etc.) - reproduction steps or proof-of-concept
- expected impact and scope
- suggested fix (if available)
You will receive an acknowledgement within 3 business days. We aim to provide a remediation plan within 7 business days.
- Reproduce and triage the report on a private branch.
- Patch with tests.
- Run
make qaand supply-chain checks. - Publish a fixed release and rotate any impacted credentials.
- Publish an advisory/changelog note after patch availability.