Aztec Network is novel software, so we expect there to be bugs at this time. The project is currently under internal and external review and we are preparing to launch a bug bounty with a limited scope. We will update this security policy with information on the bug bounty once it launches and the scope of the bug bounty will be expanded with increased maturity of individual components.
We welcome external submissions in the meantime. To submit a vulnerability, please use the following procedures.
- Do not open public GitHub issues or pull requests for suspected security vulnerabilities.
Instead, please use the Private Vulnerability Reporting process on GitHub.
- Navigate to the "Security" tab of this repository.
- Click "Report a vulnerability" on the left sidebar.
- Fill out the form with the details of your discovery:
- Description of the vulnerability and potential impact
- Steps to reproduce (including logs, requests, or PoCs as appropriate)
- Environment details (OS, network assumptions)
You can also email security@aztec.foundation, but please don't include the details and steps to reproduce the vulnerability in the email. Use github for the submission.
We will:
- Acknowledge receipt of your report as soon as reasonably possible
- Investigate and validate the issue
- Work on a fix and coordinate disclosure timing with you when appropriate
If you believe a vulnerability is actively being exploited or has severe impact (e.g. loss of funds, key compromise, or broad user impact), please clearly mark the report as CRITICAL in the pvr/email subject.
Use GitHub Issues to report bugs or issues that are not security-sensitive (performance problems, feature requests, etc.):
Keeping normal bugs and feature requests public helps the community track progress and collaborate on fixes, while keeping security issues private helps protect users until a fix is available.