| Version | Supported |
|---|---|
| 0.1.x | ✅ |
The OpenSY team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.
DO NOT create a public GitHub issue for security vulnerabilities.
Instead, please report security vulnerabilities by emailing:
Please include the following information in your report:
- Type of vulnerability (e.g., remote code execution, denial of service, information disclosure)
- Full paths of source file(s) related to the vulnerability
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment - what an attacker could achieve
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Target: Within 90 days (depending on severity)
| Severity | Description | Example |
|---|---|---|
| Critical | Remote code execution, consensus failure, coin theft | Buffer overflow in P2P handling |
| High | Denial of service, significant data leak | Crash via malformed block |
| Medium | Local privilege escalation, minor DoS | Wallet file permission issues |
| Low | Information disclosure, hardening issues | Debug info leak in logs |
We consider security research conducted in accordance with this policy to be:
- Authorized and legal
- Exempt from DMCA anti-circumvention provisions
- Conducted in good faith
We will not pursue legal action against researchers who:
- Report vulnerabilities responsibly
- Do not exploit vulnerabilities beyond proof-of-concept
- Give us reasonable time to address issues before disclosure
We are establishing a bug bounty program. Details will be announced at:
- Website: https://opensyria.net/security
- Twitter/X: @OpenSYcrypto
Bounty amounts (when available):
- Critical: Up to 50,000 SYL
- High: Up to 20,000 SYL
- Medium: Up to 5,000 SYL
- Low: Up to 1,000 SYL
For sensitive communications, you may encrypt your report using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP key will be added here]
-----END PGP PUBLIC KEY BLOCK-----
Key fingerprint: [To be added]
# Limit RPC access to localhost
rpcbind=127.0.0.1
# Use strong RPC credentials
rpcuser=<random_string>
rpcpassword=<strong_random_password>
# Enable wallet encryption
encryptwallet "your-strong-passphrase"
# Consider running behind a firewall
# Only expose port 9633 for P2P (if needed)- Keep your node software updated
- Run behind a firewall
- Use Tor for enhanced privacy:
-proxy=127.0.0.1:9050 - Monitor for unusual activity
| Date | Severity | Description | Fixed In |
|---|---|---|---|
| - | - | No advisories yet | - |
Thank you for helping keep OpenSY secure! 🔒