If you discover a security vulnerability in TerraQura, please report it responsibly. Do not open a public GitHub issue.
- Email: [email protected]
- PGP: Available on request
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
| Stage | SLA |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix timeline communicated | 10 business days |
| Patch released | Depends on severity |
- Smart contracts (Solidity EVM)
- Backend API endpoints
- Authentication and authorization logic
- Cryptographic implementations
- Oracle data verification
- Frontend security (XSS, CSRF, injection)
- Denial of service via rate-limited endpoints
- Social engineering attacks
- Third-party dependencies (report upstream)
- Issues in test or development environments
Smart contracts: Reentrancy guards, UUPS upgradeable proxy pattern, circuit breaker emergency pause, multisig admin (2-of-3), timelock on upgrades, role-based access control (MINTER_ROLE, OPERATOR_ROLE, ADMIN_ROLE), checked arithmetic.
Application layer: JWT + SIWE auth, RBAC, Zod input validation, per-endpoint rate limiting, CORS, Helmet headers, parameterised queries.
Infrastructure: TLS 1.3, ADGM data residency (UAE), DDoS protection, container security contexts, secrets management.
A bug bounty program will be announced prior to mainnet launch. Details will be published at aethelred.io/security.
| Version | Supported |
|---|---|
| main (pre-mainnet) | Yes |
| Older branches | No |