| Version | Supported |
|---|---|
latest (main) |
✅ |
Please do not open a public issue for security vulnerabilities. Instead, report them privately:
- Email edy.cu@live.com, or
- Use GitHub's private vulnerability reporting (Security → Report a vulnerability).
You'll get an acknowledgment within 48 hours and a resolution timeline after triage. Please give us a reasonable window to patch before public disclosure.
OKX_API_KEY/OKX_SECRET_KEY/OKX_PASSPHRASEare Facilitator credentials — never commit real values (.envis git-ignored; only.env.exampleis tracked).- Payment verification (
api/rails/okx.ts) does real EIP-3009/EIP-712 signature checks offline viaviem; report any bypass of that check as a critical finding. - Known non-blocking issue:
vitest's transitive dev-dependency chain (esbuild/vite) currently reports moderate/high/critical advisories innpm audit. These are dev-only (test runner), not shipped in the running service, and are tracked via Dependabot rather than force-upgraded mid-hackathon to avoid destabilizing the test suite.