The Rayls Network team takes the security of the protocol and its users seriously. We are grateful to the security researchers and node operators who help keep the network safe.
Please do not report security vulnerabilities through public GitHub issues, pull requests, or Discord.
Report vulnerabilities privately through GitHub's private vulnerability reporting:
- Open the Security tab of this repository.
- Click "Report a vulnerability" and complete the advisory form.
This opens a channel visible only to the maintainers. If you are unable to use GitHub's private reporting, contact a maintainer via the Rayls Network Discord to arrange a secure disclosure channel — do not include vulnerability details in public messages.
Where possible, please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce, or a proof of concept.
- The affected component(s), version(s), and configuration.
- Any suggested remediation.
- We will acknowledge receipt of your report within 48 hours.
- We will provide an initial assessment within 5 business days.
- We will keep you informed of our progress as we investigate and resolve the issue.
- Once resolved, we will notify you and coordinate public disclosure timing.
| In-Scope | Out-of-Scope |
|---|---|
| Core protocol code (this repo) | 3rd-party forks/dApps |
| Rayls Smart Contracts | Non-official integrations |
- Already reported vulnerabilities.
- Vulnerabilities in dependencies (report to the dependency maintainer; we track dependency advisories via
cargo-denyand Trivy). - Theoretical vulnerabilities without a proof of concept.
- Social engineering attacks.
- All vulnerability reports and associated communications are treated as confidential.
- We kindly ask that you not publicly disclose any details until we have released a fix and agreed on a disclosure timeline.
- We aim to fix critical vulnerabilities as quickly as possible.
- We may provide pre-disclosure to key partners and node operators to ensure network stability.
Rayls Network does not currently operate a public bug-bounty program. We still greatly value responsible disclosure and are happy to provide recognition for valid reports (see Credits below). This section will be updated if a program is launched.
The Rayls Network protocol has undergone a third-party security audit by Halborn. Remediated findings are recorded in CHANGELOG.md under the "Security Fixes (Halborn Audit)" entries. Contact the maintainers for audit details.
Rayls Network is under active development. Security fixes are released against the latest stable release; node operators are strongly encouraged to always run the latest release.
| Version | Supported |
|---|---|
| 1.1.x | ✅ |
| < 1.1 | ❌ |
We thank all security researchers who responsibly disclose vulnerabilities. If you wish to receive credit for a valid report, let us know and we will acknowledge your contribution. Your support is critical to keeping our protocol safe for the community.