# `gnark-crypto` Security Policy ## Overview This document explains the gnark team's process for handling issues reported and what to expect in return. ## Reporting a Security Bug All security bugs in gnark-crypto distribution should be reported by email to gnark@consensys.net. Your email will be acknowledged within 7 days, and you'll be kept up to date with the progress until resolution. Your issue will be fixed or made public within 90 days. If you have not received a reply to your email within 7 days, please follow up with the gnark team again at gnark@consensys.net. Note that we do not currently run any bug bounty program. ## Tracks Depending on the nature of your issue, it will be categorized as an issue in the **PUBLIC**, **PRIVATE**, or **URGENT** track. ### PUBLIC Issues in the **PUBLIC** track affect niche configurations, have very limited impact, or are already widely known. **PUBLIC** track issues are fixed on the develop branch, and get backported to the next scheduled minor releases. The release announcement includes details of these issues, but there is no pre-announcement. ### PRIVATE Issues in the **PRIVATE** track are violations of committed security properties. **PRIVATE** track issues are fixed in the next scheduled minor releases , and are kept private until then. Three to seven days before the release, a pre-announcement is sent to [`gnark-announce`] and [@gnark_team], announcing the presence of a security fix in the upcoming releases, and which component in gnark is affected; compiler, constraint system or proof system (but not disclosing any more details). ### URGENT **URGENT** track issues are a threat to the gnark ecosystem's integrity, or are being actively exploited in the wild leading to severe damage. **URGENT** track issues are fixed in private, and trigger an immediate dedicated security release, possibly with no pre-announcement. ## Flagging Existing Issues as Security-related If you believe that an existing issue is security-related, we ask that you send an email to gnark@consensys.net. The email should include the issue ID and a short description of why it should be handled according to this security policy. ## Disclosure Process The gnark project uses the following disclosure process: * Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process. * The issue is confirmed and a list of affected components is determined. * Code is audited to find any potential similar problems. * Fixes are prepared for the two most recent major releases and the head/master revision. Fixes are prepared for the two most recent major releases and merged to head/master. * On the date that the fixes are applied, announcements are sent to [`gnark-announce`] and [@gnark_team]. This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently. ## Receiving Security Updates The best way to receive security announcements is to subscribe to the [`gnark-announce`] mailing list. Any messages pertaining to a security issue will be prefixed with \[security\]. [`gnark-announce`]: https://groups.google.com/g/gnark-announce [@gnark_team]: https://twitter.com/gnark_team