| Version | Supported |
|---|---|
| 1.x | ✅ Yes |
Do not open a public GitHub issue for security vulnerabilities.
Please report security issues by emailing security@cosmosvote.dev with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Any suggested mitigations
You will receive an acknowledgment within 48 hours and a full response within 7 days.
- We follow responsible disclosure
- We will coordinate a fix and release before public disclosure.
- Credit will be given to reporters in the release notes (unless anonymity is requested)
- We do not pursue legal action against good-faith security researchers
CosmosVote is designed with the following security guarantees:
| Property | Implementation |
|---|---|
| Vote integrity | Each address votes once per proposal; weight = live balance |
| No double-voting | Persistent HasVoted flag checked before every vote |
| Auth enforcement | require_auth() on all state-changing operations |
| Arithmetic safety | checked_add / checked_sub on all token amounts |
| Initialization safety | One-time init guard; admin/token immutable after init |
| Emergency pause | Admin can pause all state-changing operations |
See docs/security/known-issues.md for documented limitations and accepted risks.
All dependencies are scanned automatically on every CI run and weekly:
| Tool | Scope | Failure threshold |
|---|---|---|
cargo audit |
Rust crates | Any advisory |
npm audit |
Frontend packages | High or critical CVEs |
| Dependabot | Rust, npm, GitHub Actions | Automated PRs weekly |
- Detection —
cargo audit/npm auditfails CI, or Dependabot opens a PR. - Triage — maintainer assesses severity within 48 hours.
- Patch — dependency updated or workaround applied within 7 days for high/critical, 30 days for moderate.
- Release — patched version published with a CHANGELOG entry.
- Disclosure — public advisory issued after the fix is deployed.
See AUDIT.md for audit history and scope.