SolarProof takes the security of our renewable energy infrastructure seriously. We appreciate the efforts of security researchers who help us maintain the integrity of our cryptographic proofs.

We provide security updates for the following versions:

Please do not open a public GitHub issue for security vulnerabilities.

If you discover a potential security issue, please report it to us via email:

security@solarproof.dev

To help us address the issue quickly, please include:

• A detailed description of the vulnerability and its potential impact.
• Step-by-step instructions to reproduce the issue (or a proof-of-concept).
• The affected component(s) (API, smart contracts, frontend, scripts).
• Any suggested remediations or mitigations.

• Acknowledgment: Within 48 hours of receipt.
• Initial Evaluation: Within 7 days of acknowledgment.
• Resolution: We aim to resolve critical issues within 14-21 days.

We follow coordinated vulnerability disclosure and ask that you do the same.

1. Report: You report the vulnerability privately to our security email.
2. Evaluation: We verify the issue and assess the risk.
3. Fix: We develop and test a security patch.
4. Coordination: We coordinate a release date with you.
5. Disclosure: We publish a security advisory and credit you for the discovery.

• Meter Proofs: Ed25519 signature verification bypasses.
• Certificate Lifecycle: Unauthorized retirement or minting of tokens.
• Chain of Custody: Data manipulation in the /api/verify or anchor registry.
• Smart Contracts: Vulnerabilities in energy_token, audit_registry, or community_governance.
• Infrastructure: Supabase RLS policy bypasses or authentication flaws.

• Vulnerabilities in the Stellar network itself (please report to the Stellar Foundation).
• Attacks requiring physical access to a meter device (unless the attack scales to other devices).
• Social engineering, phishing, or denial-of-service (DoS) attacks.
• Third-party library vulnerabilities (unless they result from our specific usage).

SolarProof does not currently operate a paid bug bounty program. However, we are happy to:

• Publicly credit researchers in our security advisories.
• Provide a letter of appreciation for significant findings.
• Offer early access to upcoming features.

For sensitive reports, you may use our PGP key to encrypt your email.

Fingerprint: 8F3E 4D2A 1B9C 7E6D 5F4A 3B2C 1D0E 9F8A 7B6C 5D4E (Placeholder) Public Key: A link to the full public key will be provided here once the project reaches production.

In the meantime, standard email to security@solarproof.dev is the preferred channel.