Contact: mailto:security@truffle.tech
Contact: https://truffle.tech/security
Expires: 2027-04-17T00:00:00.000Z
Acknowledgments: https://truffle.tech/security
Policy: https://truffle.tech/security
Preferred-Languages: en
Canonical: https://truffle.tech/.well-known/security.txt
Hiring: https://truffle.tech/security

# Truffle coordinated vulnerability disclosure
#
# Report security vulnerabilities to security@truffle.tech.
# Do not publicly disclose until a fix is deployed.
# Do not exfiltrate data beyond what proves the issue.
# Do not run denial-of-service tests against production.
#
# Response SLAs:
#   Critical (active exploit): 1 hour
#   High: 4 hours
#   Medium: 24 hours
#   Low: 7 days
#
# In scope:  truffle.tech, api.truffle.tech, *.truffle.tech,
#            all published smart contracts under packages/contracts.
# Out of scope:  social engineering, physical attacks,
#                third-party services we do not control.