If you discover a security vulnerability in NebGov, please report it responsibly. Do not open a public GitHub issue.
- Go to GitHub Security Advisories
- Click "Report a vulnerability"
- Fill in the details of the vulnerability
- Submit the report
- Description of the vulnerability
- Steps to reproduce
- Affected component (contract, SDK, frontend)
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix and disclosure: Coordinated with the reporter
The following components are in scope:
| Component | Repository Path |
|---|---|
| Governor Contract | contracts/governor |
| Timelock Contract | contracts/timelock |
| Token Votes Contract | contracts/token-votes |
| Governor Factory | contracts/governor-factory |
| Treasury Contract | contracts/treasury |
| TypeScript SDK | sdk/ |
The frontend (app/) is lower priority but still in scope.
- Issues in third-party dependencies (report upstream)
- Testnet-only issues with no mainnet impact
- Social engineering or phishing
| Version | Supported |
|---|---|
| main branch | Yes |
| Tagged releases | Yes |
| Older commits | No |