Security policy¶

Reporting a vulnerability¶

Please report security issues privately. Do not open a public GitHub issue for suspected vulnerabilities.

In scope:

apps/rgs-server: game launch API, wallet adapter, signing, idempotency.
apps/operator-portal: back-office auth, session management, config edits.
packages/operator-sdk: SDK operators would embed.
packages/rng-core/src/: shared commit-reveal primitives (seed generation, HMAC derivation, seed verification).
games/<code>/src/outcome.ts: per-game outcome mapping that composes the rng-core primitives.
apps/rgs-server/src/services/ProofService.ts: the proof-reveal gating on /v1/rounds/:id/proof.
Schema, migrations, and the WalletCall audit ledger.

Out of scope:

apps/mock-operator: development-only fake casino + fake wallet, not a production artifact.
apps/game-client: PixiJS iframe with no auth surface; all sensitive state lives server-side.
Issues requiring physical access, stolen operator credentials, or social-engineering that bypasses signed-request verification.

We will not pursue legal action against researchers who:

Make a good-faith effort to avoid privacy violations, data destruction, and service disruption.
Only interact with accounts they own or have explicit permission to test.
Do not exploit a vulnerability beyond what is necessary to confirm it.
Give us reasonable time to remediate before public disclosure.

Day 0: report received, acknowledgment sent.
Day 0-7: triage, severity assessment, fix scoping.
Day 7-60: remediation.
Day 90: coordinated public disclosure, regardless of fix status, unless an extension is mutually agreed.

(No disclosures yet. Reporters listed here with permission.)