The Klever blockchain team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
We actively support and provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.7.x | ✅ |
| < 1.7.0 | ❌ |
Note: We strongly recommend using the latest stable release to ensure you have the most recent security patches and improvements.
Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, please report security vulnerabilities using one of the following methods:
Report vulnerabilities through GitHub's private vulnerability reporting:
- Navigate to the Security tab of this repository
- Click Report a vulnerability
- Fill out the vulnerability details form
Send details to: security@klever.org
Please include the following information in your report:
- Type of vulnerability (e.g., consensus failure, smart contract execution bypass, DoS, etc.)
- Affected component(s) (e.g., KVM, consensus mechanism, networking layer)
- Step-by-step instructions to reproduce the issue
- Proof of concept or exploit code (if available)
- Potential impact of the vulnerability
- Suggested mitigation (if you have one)
- Your contact information for follow-up questions
We use the following severity levels to classify security issues:
- Consensus failures or chain halts (BLS-based slot consensus with Byzantine fault tolerance)
- Unauthorized fund access or theft
- Remote code execution
- Private key exposure
- Byzantine attacks affecting consensus integrity
- Denial of Service affecting network availability
- Smart contract execution vulnerabilities
- Authentication/authorization bypass
- Transaction validation bypass
- Information disclosure
- Performance degradation attacks
- Non-critical DoS vectors
- Issues with limited impact
- Best practice violations
- Security improvements
We are committed to addressing security vulnerabilities promptly:
- Initial Response: Within 48 hours of receiving your report
- Triage and Assessment: Within 5 business days
- Fix Development: Depending on complexity and severity
- Critical: 7-14 days
- High: 14-30 days
- Medium: 30-60 days
- Low: 60-90 days
- Coordinated Disclosure: We will work with you to determine an appropriate disclosure timeline
When a security vulnerability is confirmed:
- We will develop and test a fix
- We will prepare security advisories
- We will notify affected users and node operators through official channels
- We will release the patched version
- After a reasonable adoption period, we will publish the security advisory with credit to the reporter (if desired)
We value the security research community's contributions. Details about our bug bounty program:
- Scope: Vulnerabilities in the core blockchain protocol, consensus mechanism, KVM, smart contract execution, and cryptographic implementations
- Rewards: Determined based on severity and impact (see classification above)
- Eligibility: Must follow responsible disclosure practices
For current bounty amounts and specific program details, please contact security@klever.org.
The following are generally considered out of scope:
- Issues in third-party dependencies (please report to the respective maintainers)
- Social engineering attacks
- Physical attacks on infrastructure
- Vulnerabilities requiring unlikely user interaction
- Issues already reported or fixed
- Automated scanning results without proof of exploitability
When researching vulnerabilities, please:
- ✅ Make every effort to avoid privacy violations, data destruction, and service disruption
- ✅ Only interact with accounts you own or have explicit permission to test
- ✅ Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
- ✅ Keep all vulnerability details confidential until they are resolved
- ✅ Give us reasonable time to fix vulnerabilities before public disclosure
Please do not:
- ❌ Access, modify, or delete data that doesn't belong to you
- ❌ Perform DoS/DDoS attacks on the mainnet or public testnet
- ❌ Compromise user privacy or degrade user experience
- ❌ Execute attacks against network participants
- ❌ Publicly disclose vulnerabilities before coordinated release
To help secure the Klever blockchain ecosystem:
- Keep your node software up to date
- Follow secure key management practices
- Use hardware wallets for significant holdings
- Verify transaction details before signing
- Be cautious of social engineering attempts
- Report suspicious activity to the team
Our codebase undergoes regular security audits by reputable third-party firms. Audit reports are published on our website and documentation.
For any security-related questions or concerns:
- Email: security@klever.org
- Website: https://klever.org
- Documentation: https://docs.klever.org
We would like to thank the security researchers and community members who help keep Klever safe. Contributors who follow responsible disclosure practices will be acknowledged (with permission) in our security advisories.
Last Updated: October 2025