Security Acknowledgments
Researchers who have responsibly disclosed issues.
About this page
KuberCoin operates a coordinated-disclosure program for security vulnerabilities affecting the reference client, the wallet, the RPC server, the explorer or any other officially published surface. This page recognises researchers who reported a vulnerability through that program and agreed to be named after the corresponding fix shipped.
How researchers are listed
Listing is opt-in and bound to an embargo agreed at the time of disclosure. Once the embargo expires and the fix has rolled out to the recommended client version, the security team adds an entry that includes:
- The disclosure date and the version in which the fix shipped.
- A short technical description of the issue, written collaboratively with the reporter.
- The reporter's preferred display name and an optional link to a homepage or social profile.
- The CVE identifier, if one was assigned.
Reporters who prefer to remain anonymous are credited as “Anonymous” with the disclosure date intact, so the timeline of fixes remains transparent.
What qualifies for acknowledgment
Findings that demonstrate a real security impact on the reference software are eligible. Examples include remote code execution, authentication bypasses, privilege escalation, theft of funds, denial-of-service vectors that scale beyond a single peer, sensitive data exposure, and consensus-divergence bugs.
Reports that describe a theoretical risk without a working exploit, reports about third-party software bundled at the operating-system level, and reports about deliberate design trade-offs documented in the whitepaper are still appreciated but do not qualify for an acknowledgment entry.
Timeline
The standard embargo runs from the date the security team confirms the report through the date the recommended client version ships the fix, plus a fourteen-day grace window for operators to upgrade. The acknowledgment entry is published on the next business day after the grace window closes, unless the reporter requests an extension.
Current acknowledgments
No public acknowledgments have been recorded yet. Future entries will appear in this section in reverse chronological order. Each entry is a permanent record — entries are corrected for factual errors but are never removed.
Submit a finding
To open a new report, follow the steps on the vulnerability report page. The page describes the encrypted intake channel, the response timeline and the safe-harbour scope.