This document describes the Security Policy for ApeWorX Ltd., including vulnerability disclosures for the Ape Framework, any of it's maintained plugins, or any packages we maintain used by those as dependencies. We are committed to conduct our Security Process in a professional and civil manner. Public shaming, under-reporting, or misrepresentation of vulnerabilities will not be tolerated.
To submit a finding, please follow the steps outlined in receiving disclosures section.
ApeWorX follows a community standard for responsible disclosure in cryptocurrency and related software. This document is a public commitment to following the standard.
This standard provides detailed information for:
- Initial Contact: how to establish initial contact with our security team.
- Giving Details: what details to include with your vulnerability disclosure after having received a response to your initial contact.
- Setting Dates: how to agree on timelines for releasing updates and making details of the issue public.
Any expected deviations and necessary clarifications around the standard are explained in the following sections.
Ape is currently under active development, we support the latest release by major version. Any security issues found on the latest minor version of Ape will be fixed and released in either a patch or minor release.
| Version | Supported |
|---|---|
| > 0.6.x | ✅ |
ApeWorX is committed to working with researchers who submit security vulnerability notifications to us, to resolve those issues on an appropriate timeline, and to perform a coordinated release, giving credit to the reporter if they would so like.
Please submit disclosures to all of the following main points of contact for security related issues according to the initial contact and giving details guidelines.
For all security related issues, ApeWorX has the following main points of contact:
| Contact | Keybase |
|---|---|
| @fubuloubu | @fubuloubu |
| @NotPeopling2day | @NotPeopling2day |
| @unparalleled-js | @Antazoey |
In the case where we become aware of security issues affecting projects using Ape, our intention is to engage in responsible disclosures with them as described in the adopted standard.
ApeWorX does not currently have any established bilateral disclosure agreements.
ApeWorX does not currently have any bug bounty programs.
Parts of this document were inspired by Yearn's security policy.