Security Policy
Vulnerability disclosure process and response timelines.
Scope
This policy covers the reference node, the Rust and TypeScript client
SDKs, and the public-facing infrastructure under
*.kuber-coin.com. Third-party wallets, exchanges and pools
are out of scope.
Reporting a vulnerability
Send encrypted reports through the channel documented on the vulnerability report page. Please do not open public discussion threads for unpatched issues.
Response timelines
- Acknowledgement: within 3 business days.
- Initial triage: within 7 business days.
- Fix or mitigation: targeted within 90 days from acknowledgement.
- Coordinated disclosure: a fixed embargo date is set jointly with the reporter.
Severity rubric
- Critical. Consensus failure, fund loss, or remote code execution on the reference node.
- High. Denial of service against a majority of nodes, wallet key extraction.
- Medium. Cross-site scripting on a hosted surface, inflation of confirmation latency.
- Low. Information disclosure with no privilege escalation.
Acknowledgments
Researchers who follow coordinated disclosure are listed, with their permission, on the acknowledgments page.
The public audit package is summarized on the audit scope page.