We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:
-
Do NOT open a public GitHub issue
-
Email security concerns to: security@novustechllc.com (or create a private security advisory)
-
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
We will:
- Acknowledge receipt within 48 hours
- Provide an initial assessment within 7 days
- Keep you informed of progress
- Credit you in the security advisory (if desired)
- Always verify contract addresses before interacting
- Use testnet for testing
- Never share private keys
- Review transaction details before signing
- Use hardware wallets for large amounts
- Review all smart contract code before deployment
- Use established libraries (OpenZeppelin)
- Follow security best practices
- Conduct security audits for mainnet deployments
- Keep dependencies updated
- Use environment variables for sensitive data
- Reentrancy Protection: Contracts use ReentrancyGuard
- Access Control: Owner and agent authorization checks
- Input Validation: All inputs are validated
- Deadline Checks: Payment requests expire after deadline
- Wallet Integration: Uses established libraries (RainbowKit, Wagmi)
- Environment Variables: Sensitive data in environment variables
- HTTPS: Always use HTTPS in production
- Initial security review completed
- Professional audit (planned)
- Bug bounty program (planned)
We follow responsible disclosure:
- Report privately
- Allow time for fix
- Coordinate public disclosure
- Credit the reporter
Security updates will be:
- Released as patches
- Documented in release notes
- Communicated to users
- Tagged with security labels
Remember: Smart contracts are immutable once deployed. Always test thoroughly on testnet before mainnet deployment.