We currently support security updates for the latest major version of the Invoice Liquidity Network (ILN) protocol and its components.

If you discover a security vulnerability within ILN, please report it privately. Do not disclose the vulnerability publicly until a fix has been issued.

You can report vulnerabilities by:

• Opening a GitHub Security Advisory in this repository.
• Emailing our security team at security@invoiceliquidity.network.

• A detailed description of the vulnerability.
• Step-by-step reproduction instructions.
• Estimated impact (e.g., how it affects users, transactions, or the protocol).
• Any potential mitigations you suggest.

• Acknowledgment: Within 48 hours.
• Resolution/Fix: Within 14 days for Critical severity bugs.

• Critical: Allows draining of funds from smart contracts, bypassing authentication, or total system compromise.
• High: Significant data breach, unauthorized state manipulation with limited financial impact.
• Medium: Denial of service (DoS), localized data leaks.
• Low: UI spoofing, minor bugs with no direct financial or data impact.

Valid, critical vulnerabilities reported privately that result in a patch may be eligible for a bug bounty reward, determined on a case-by-case basis.

We maintain a public hall of fame for security researchers who responsibly disclose vulnerabilities to ILN.

• See the full list in HALL_OF_FAME.md
• Maintainers should add entries after a fix is merged and a disclosure is publicly announced
• Entries should include researcher handle/name, date, severity, brief description, and CVE/advisory link if applicable