Security Reporting
Report security vulnerabilities privately. Do not open a public GitHub issue for a suspected vulnerability.
This page summarizes ../tidecoin/SECURITY.md.
Preferred Channel
Use GitHub Private Vulnerability Reporting on the tidecoin/tidecoin
repository:
- Open the repository Security tab.
- Choose “Report a vulnerability.”
- Include reproduction steps and impact notes.
Alternative Email
Email falcon1024@protonmail.com for security reports. This address is not for
general support.
If both parties use Proton Mail, Proton’s post-quantum encrypted email support may apply. Do not rely on email alone for large exploit payloads or highly sensitive material if you can use GitHub’s private reporting flow.
Scope
Security scope includes:
tidecoind,tidecoin-qt,tidecoin-cli,tidecoin-wallet,tidecoin-tx, andtidecoin-util;- consensus and validation logic;
- PQ signature schemes;
- PQHD wallet derivation;
- ML-KEM-512 P2P transport;
- wallet secret handling;
- RPC security issues.
What To Include
- Affected version or commit.
- Reproduction steps.
- Expected and actual behavior.
- Impact assessment.
- Crash input, transaction, block, PSBT, or logs if applicable.
- Suggested fix if you have one.
Response Timeline
| Step | Target |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix and disclosure | Coordinated with the reporter |
Public Discussion Rule
Do not post exploit details, crashing inputs, private keys, wallet dumps, or unpatched attack paths in public issues, PRs, chats, or docs.
See also: Contributing, Release Process, Node RPC Security.