NEAR values the independent security research community and believes that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of all our users.
Please do NOT raise a GitHub Issue to report a security vulnerability. If you believe you have found a security vulnerability, please submit a report to security@near.org, preferably with a proof of concept.
We ask that you do not use other channels or contact project contributors directly.
Non-vulnerability-related security issues, such as new ideas for security features, are welcome on GitHub Issues.
Security updates will be released on a regular cadence. Security updates are released on the Tuesday closest to the 17th day of January, April, July, and October. A pre-release announcement will be published on the Thursday preceding each release.
We will provide security-related information such as a threat model, considerations for secure use, or any known security issues in our documentation. Please note that labs and sample code are intended to demonstrate a concept and may need to be sufficiently hardened for production use.
NEAR uses HackenProof as a conduit for reporting defects and vulnerabilities as well. To report a vulnerability that you believe you have discovered in the Near or Pagoda platform, please use one of the following programs to report it:
- NEAR Protocol: (https://hackenproof.com/near/near-protocol)
- NEAR Web (Medium): (https://hackenproof.com/near/near-web-medium)j
- NEAR Smart Contract (Medium): (https://hackenproof.com/near/near-smart-contract-medium)
- NEAR Smart Contract (High): (https://hackenproof.com/near/near-smart-contract-high)
- NEAR Smart Contract (Critical): (https://hackenproof.com/near/near-smart-contracts-critical)
- NEAR Foundation Web (Low): (https://hackenproof.com/near/near-foundation-web-low)