If you discover a security vulnerability in this project, please report it responsibly.
Do not open a public issue.
Instead, email security@klever.org with:
- A description of the vulnerability
- Steps to reproduce the issue
- The potential impact
- Any suggested fix (optional)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
This policy covers:
- The installer script (
install.sh) - The landing page (
index.html) - CI/CD workflows and GitHub Actions
| Version | Supported |
|---|---|
Latest on main |
Yes |
develop branch |
Best-effort |
The installer downloads and executes binaries from the Klever CDN (storage.googleapis.com/kleverchain-public). Users should verify they are fetching the script from the official source (install.klever.org) before running it.
The script validates KLEVER_SDK_PATH input to prevent shell injection. The core installer does not require root access; however, on fresh Linux systems, sudo may be used to install build dependencies (C compiler, pkg-config, OpenSSL headers) if they are not already present.