Skip to content

Create SECURITY.md for security policy and vulnerability reporting#1

Open
cshein45 wants to merge 1 commit intomusitdev:mainfrom
cshein45:patch-1
Open

Create SECURITY.md for security policy and vulnerability reporting#1
cshein45 wants to merge 1 commit intomusitdev:mainfrom
cshein45:patch-1

Conversation

@cshein45
Copy link
Copy Markdown

@cshein45 cshein45 commented Apr 12, 2026

ant="standard" id="84291"}

🔐 Security Policy – Movement Network

📌 Supported Versions

The following versions of the Movement Network contracts and infrastructure are currently supported with security updates:

Version Supported
1.x (Mainnet) ✅ Yes
0.x (Testnet / Legacy) ⚠️ Limited support
< 0.5 ❌ No

We strongly recommend all users and integrators to use the latest stable release.

🚨 Reporting a Vulnerability

We take security seriously and appreciate responsible disclosure.

If you discover a vulnerability, please report it privately using one of the following methods:

  • Email: security@movementnetwork.xyz
  • Encrypted (PGP): Available upon request
  • Alternative: Direct message to core team (for verified contributors)

📋 What to Include

Please provide as much detail as possible:

  • Description of the vulnerability
  • Affected contracts or components
  • Steps to reproduce (PoC if possible)
  • Potential impact assessment
  • Suggested mitigation (if available)

⏱️ Response Timeline

  • Initial response: within 24–72 hours
  • Status update: within 3–5 days
  • Fix & disclosure timeline: depends on severity

🛡️ Scope

This policy applies to:

  • Smart contracts (DAO, Treasury, Execution Router)
  • Multisig treasury (Safe)
  • Webhook and backend infrastructure
  • Token contracts and NFT identity layer

❌ Out of Scope

  • Testnet-only issues without real impact
  • Social engineering attempts
  • Issues requiring physical access
  • Known issues already documented

🏆 Disclosure Policy

  • Do not publicly disclose the vulnerability before it is fixed
  • We will coordinate disclosure after patching
  • Contributors will be credited (if desired)

💰 Bug Bounty (Optional)

We may offer rewards depending on severity:

Severity Example Reward
Critical Fund loss / treasury exploit High
High Privilege escalation Medium
Medium Logic flaws Low
Low Minor issues Recognition

🔐 Security Best Practices

  • Use multisig approvals for all treasury actions
  • Verify contract addresses before interacting
  • Monitor onchain activity via webhooks
  • Keep signer keys secure (hardware wallets recommended)
  • Follow least-privilege principles

📢 Final Note

Security is a shared responsibility.
We encourage the community to help keep Movement Network safe

@cshein45
Create SECURITY.md for security policy and reporting
0b0b79f 
Added a security policy document outlining supported versions and vulnerability reporting.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cshein45