Summary
The repository has no security vulnerability reporting policy and no code of conduct for contributors. For an open-source financial protocol, both are important: users and security researchers need to know how to responsibly report vulnerabilities, and contributors need clear community standards.
Current State
Look at the root of the repository — there is no SECURITY.md and no CODE_OF_CONDUCT.md. GitHub shows a "Security policy" tab on the repository, but it's empty without a SECURITY.md file.
What Needs to Be Created
1. SECURITY.md
A security policy that covers:
Scope
- What's considered a security vulnerability (smart contract bugs, authentication bypass, data exposure, etc.)
- What's NOT a security issue (feature requests, general bugs, UI issues)
Reporting Process
- Where to report: a dedicated email address (e.g., security@nester.dev) or GitHub's private vulnerability reporting feature
- What to include: description, reproduction steps, affected component, severity assessment
- Explicitly state: do NOT open a public GitHub issue for security vulnerabilities
Response Expectations
- Acknowledgment timeline (e.g., within 48 hours)
- Assessment timeline (e.g., within 1 week)
- Fix timeline (depends on severity)
- Credit and recognition policy for reporters
Severity Classification
- Critical: Smart contract funds at risk, authentication bypass, data breach
- High: Privilege escalation, significant data exposure
- Medium: Limited data exposure, denial of service
- Low: Information disclosure, best practice violations
Safe Harbor
- State that good-faith security researchers acting within the policy will not face legal action
- This encourages responsible disclosure
Bug Bounty (Optional)
- If applicable, mention any bug bounty program or plans for one
- Even if no monetary bounty, mention recognition (Hall of Fame, etc.)
2. CODE_OF_CONDUCT.md
Adopt the Contributor Covenant (the most widely used open-source code of conduct) or a similar standard. It should cover:
- Expected behavior: Be respectful, constructive, inclusive
- Unacceptable behavior: Harassment, trolling, discrimination, doxxing
- Enforcement: Who enforces it (project maintainers), how to report violations
- Consequences: Warning → temporary ban → permanent ban
- Contact: Where to report code of conduct violations
The Contributor Covenant v2.1 is available at https://www.contributor-covenant.org/ and is used by thousands of projects. It can be adopted with minimal customization (just fill in the enforcement contact).
Files to Create
SECURITY.md at repository rootCODE_OF_CONDUCT.md at repository root
Summary
The repository has no security vulnerability reporting policy and no code of conduct for contributors. For an open-source financial protocol, both are important: users and security researchers need to know how to responsibly report vulnerabilities, and contributors need clear community standards.
Current State
Look at the root of the repository — there is no
SECURITY.mdand noCODE_OF_CONDUCT.md. GitHub shows a "Security policy" tab on the repository, but it's empty without a SECURITY.md file.What Needs to Be Created
1. SECURITY.md
A security policy that covers:
Scope
Reporting Process
Response Expectations
Severity Classification
Safe Harbor
Bug Bounty (Optional)
2. CODE_OF_CONDUCT.md
Adopt the Contributor Covenant (the most widely used open-source code of conduct) or a similar standard. It should cover:
The Contributor Covenant v2.1 is available at https://www.contributor-covenant.org/ and is used by thousands of projects. It can be adopted with minimal customization (just fill in the enforcement contact).
Files to Create
SECURITY.mdat repository rootCODE_OF_CONDUCT.mdat repository root