Security fixes target the active develop branch and the latest tagged release line, currently v1.0.0. Historical pre-1.0 releases are not maintained unless maintainers explicitly scope a backport.
Please do not open a public issue for suspected vulnerabilities.
Send reports to security@greengoods.app with:
- A clear description of the issue
- Affected package, route, contract, or workflow
- Reproduction steps or proof-of-concept details
- Impact assessment, including affected users or funds if known
- Any suggested mitigation
If GitHub private vulnerability reporting is available on the repository, you may use that instead.
Maintainers aim to acknowledge credible reports within 3 business days, triage severity, and coordinate a fix or mitigation path before public disclosure. Disclosure timing depends on impact, exploitability, and deployment requirements.
Green Goods does not operate a standing bug bounty program. Paid security review or remediation work is grant-dependent and must be scoped with maintainers before work begins.
- Social engineering against contributors or community members
- Physical attacks or device theft
- Denial-of-service tests that degrade public services
- Scanner-only reports without a demonstrated Green Goods impact
- Reports against third-party services without a Green Goods-specific exploit path