Skip to content

Security: Unhosted-Wallet/biconomy-client-sdk

Security

SECURITY.md

Security Policy

Reporting a Vulnerability

The safety and security of our sdk is our top priority. If you have discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly.

Contact Us Directly for Critical or High-Risk Findings

For critical or high-impact vulnerabilities that could affect our users, please contact us directly at:

We'll work with you to assess and understand the scope of the issue.

For Other Issues

For vulnerabilities that are less critical and do not immediately affect our users:

  1. Open an issue in our GitHub repository (https://github.com/bcnmy/biconomy-client-sdk/issues).

  2. Provide detailed information about the issue and steps to reproduce.

If your findings are eligible for a bounty, we will follow up with you on the payment process.

Scope

The bounty program covers code in the main branch of our repository. The vulnerability must not have already been addressed or fixed in the develop branch.

Eligibility

To be eligible for a bounty, researchers must:

  • Report a security bug that has not been previously reported.

  • Not violate our testing policies (detailed below).

  • Follow responsible disclosure guidelines.

Testing Policies

  • Do not conduct testing on the mainnet or public testnets. Local forks should be used for testing.

  • Avoid testing that generates significant traffic or could lead to denial of service.

  • Do not disclose the vulnerability publicly until we have had the chance to address it.

Out of Scope

  • Known issues listed in the issue tracker or already fixed in the develop branch.

  • Issues in third-party components.

Legal Notice

By submitting a vulnerability report, you agree to comply with our responsible disclosure process. Public disclosure of the vulnerability without consent from us will render the vulnerability ineligible for a bounty.

Thank you for helping to keep Biconomy 🍊 and the blockchain community safe!

There aren’t any published security advisories