## Our security policy and Your responsibility - **POLICY**: *Our security policy is to avoid leaving the ecosystem worse than we found it. Meaning we are not planning to introduce vulnerabilities into the ecosystem.* The merkle_bit/starling team and community take all security bugs in merkle_bit/starling seriously. Thank you for improving the security of merkle_bit/starling. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions. Report security bugs by emailing the lead maintainer at chosunone@protonmail.com and include the word "SECURITY" in the subject line.. The lead maintainer will acknowledge your email within a week, and will send a more detailed response 48 hours after that indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance. - merkle_bit/starling will confirm the problem and determine the affected versions. - merkle_bit/starling will audit code to find any potential similar problems. - merkle_bit/starling will prepare fixes for all releases still under maintenance. These fixes will be released as fast as possible. Report security bugs in third-party modules to the person or team maintaining the module. - **SECURITY DISCLOSURE**: *Your responsibility is to report vulnerabilities to us using the guidelines outlined below.* - merkle_bit/starling security contact { contact: mailto:chosunone@protonmail.com } - Disclosure format: When disclosing vulnerabilities please 1. Your name and affiliation (if any). 2. include scope of vulnerability. Let us know who could use this exploit. 3. document steps to identify the vulnerability. It is important that we can reproduce your findings. 4. how to exploit vulnerability, give us an attack scenario. ### Encryption key for chosunone@protonmail.com For critical flaws and sensitive security information you may encrypt your transmission with key below. ``` -----BEGIN PGP PUBLIC KEY BLOCK----- Version: OpenPGP.js v4.6.2 Comment: https://openpgpjs.org xsFNBF0DO8MBEAD6u0wg8Jk9qMCukKxNytHtQrrG0j8zJY65YKF5ifVqjR1c wUAUrgZMdlWSnlmxafyegeyucwJAEqOWGCm6wiH5XUAKyp84bVFllS56yKgl phsfpygXPuLuPVdPnD0weQklK+LtyhN0r+3+5+VBS88q2CnhpLfo7B4WvyLU AphzMcjKVTVNm4yQaH9Uxv3C/63BE0rwojwV1heR0BH4WYh6jvdRjSlv7yqO xv7leRssfVf8SYGJEeDGbjWz+gZwRNNauGFWo7iZc5tKYvXK2INyEd6vE/Yr lfqLhzWst/Q7CCDEKubjCkX+3jLMIxTukXIOCk729TMXkovSopay2OVL8MLx V3qHKoUQGnQdgYbbU5zhb5GNfwsPTq8aeIaAaa6VDKpv9OxZNYaFfIeYNDhy /mqdfOdbnIXKHosYQoYsVrMxmUc5C7LhtYs+CRr5Jgid8mc1K4fRrLRAGqpU cZXYEItLVKDUfes3pWO2uDqdw+DsVFWMc3hi7+4Csgnx7owciJQmDv068mTg X6/6kSzswD7/UnqkAd7RZrqzxF1nBLiF/Q3dHC4ULdI+FikWi/4QZFWaja5z a0rkW32VphDRVESWNmZnzusjhA/C14MwmvBAM2jpdQm+ZaIUjDqKN2fysOtM BUA+IgWPzFqaS0ZSmYLUZBSNkB2TH3CXqmq3GQARAQABzTNDaG9zdW5PbmVA cHJvdG9ubWFpbC5jb20gPENob3N1bk9uZUBwcm90b25tYWlsLmNvbT7CwXUE EAEIAB8FAl0DO8MGCwkHCAMCBBUICgIDFgIBAhkBAhsDAh4BAAoJEKIy+rMp VhmPQDEP/03GWueq3Um8okv2JAql0LWa0+QFJ8snzeds/+Tn3rcCf9aWq1o1 V3pSbZEUd8MG1vlyz4V4St/Y/GrIHIZ0A3tNpHdTQSO0K9jG5Co8qwytEx2B CpadrboG/NYSu9wE8JPeIbKOnjHlF7MIQz1hhIJ35PnmJoCFAfSbsa9LnMwK OPxhkBnPbRrny1sjj7dk9ZZTcit59Xy8NvUHRK37OQ7Wm6zvN9a4zMKVn2Zk rZXGH24TS3ezxZ/tO+GZk1fBKN6cou73kTyBdygKjFfn/f2TPfe/w2Duknxq OYbx44woyIh3RH9v2LdoIiP6SijCBWkadRTnV/LFiixGWzCCtvl5NpPfTvqK P2gUm6dhBbzyCCdbs9VD8AL0ew8O95l0NyLEt09AXF8nbc3jJMsYRHH6kefr TuqMFmuqZsaa2G1xGRfsTBCUqhkihA0OOD7XdXvuIbDLmMH0jVM3lRRMYhU2 lEcHaGXSqBT1ZdyltIlWZW8KkgCKmnoF7av503SWwKLwgWyO9E/62O/aoFtE l7kxNzntIGqZ0E+Dc97Nk6Qm+70sLQOKdxxuTcMyYwONa1bK4UNM7vrDBcSy sjB9RBDKZdpVWp8LTjGXQjaEUgaMlD8vegIJXiC6Zxj9GLHC9iDVYxVnDNp7 VDJRBTQcgY/FQwZ6bBCO/SoTK4OD3/nZzsFNBF0DO8MBEAC2gCTa6x2coiIK GJ2+z2c0wxKyottGKxDaweQ3L4aNi+LNWCEnTWPohqnBW8F0msg3yyzUBhhY fWPR1E9qCkbTKJ10+HO2f2CfBRf4O7TkCG7dPORYfd6BrTs5YeDO/EMDzUzk z2s4nabKX36MZBE06lgL7OUtaT4UIDrzEdPFOox+wjjwFsTNFFRtcdME8o6A CtERQdSByQwYT8T6LVETJixRjpz90Rd8e+eznUpGOH8b76MimggwzoKF/Qas tz3ksHR5B2bZuSXpT+is0VkF8avNpJvaYQhF5GEWqQvCBk914CTDQs8vYJDq z/3XzGutIDWRUM48Jf0rQFZGkTh3o+9jofOnVgfMJ/JSC38v1pd2Xj1ZpVCl I0T/OeRDuuR8NMiMMQfS0GbWReUdvrTlGZTpbBOrZGt964V9OwR1QlwOCWce 1NSWPkLAaVhwpS8n57qtuOEh9cxM5cKJZL+R/Pwa0/v2LDG+YJJ1mn+2ZjAX DQrhxxeQIS0Vdtd83vz5XUG54NzVbonb5vmdrqqFVZjA4iOAwjUyxJJL+GHU +MBWiP2Io8WQ2+uEGo+Q+5LSrFUyJR0pTzEGnF7czMdpkm+5J5SkPAsjQatT LG5uxHL2h2+W9dBivipDcwTl793wYT0ioqas7EGSDGAJ0zmuEggjKimP7C5b T1Ii6nhuQQARAQABwsFfBBgBCAAJBQJdAzvDAhsMAAoJEKIy+rMpVhmPzhUP /R9HDy6XNdJ026FERNVHVCjhbLnrxADhFULrA1UcIQojWgHJt9n/ImrDgMCe AnC+e8L7yn/sfwiHpcyqZZd7Hw2oNUutwiipvHc0/Q1bMXKMP/mlFgcZ77i6 wUFEi9QSVMhyYiyes8UgofaVltc/KjbgWpDGx3GBfEwKTv2ZH6wEaJ2yuX/g RfavHjOp4B9F1aALiikGV27nN+rmJzQKHmDGW10TtOA3nkNSlM1TMc/f2KZ2 9WaJANzuAQgWANRtE515f0frmxrcd0wj52jysmR0pUTHhVmsXOZW2caRotIz I4fJjPI+D+kkxhmgbfMS47tlxgCFG1muFGPufw7rYoESIAwsx9cI9FydSBHh F0n2echHAvAkoXesYCHoY/UINGNeVX3lF9Wm+MIijVEjTUuwHbAIugAybPjs yqVgDPrfZUKGOkRS05veTtxngnKxQ1yi/gWj/9wJMtRlTZYtmBt5lgrILGRM p87Mpq5QazAE2AuC2jANf5l+rgsVJFQbf8eYkBnf1wkvTMmitWrOql6Lq+Kh O4K8OJXk383k4vZA4xs//oonwP0fU0FTFLGceg4uO4sRvwiurJeBqbetlo+L QH/hrTp4JnooYcc47to6aI0NMDW48xch51hBDdrsIU6M9tEnGViqstm/ZShn /exmqVAq4Qk/BWckgS90KrgY =3iuM -----END PGP PUBLIC KEY BLOCK----- ``` ## merkle_bit/starling Checklist: Security Recommendations Follow these steps to improve security when using merkle_bit/starling. 1. ...SEE SOMETHING 2. ...SAY SOMETHING ### 1)...SEE SOMETHING We suggest you goto #2 if this happens. **Why?** Through experience we have found it is best to goto #2 in this situation. ## Version **version 0.0.1**