← Back to home
Security Disclosure
Responsible disclosure policy
Reporting a vulnerability
If you discover a security vulnerability in the Stealth Pay smart contracts, circuits, or frontend, please report it responsibly. Do not open a public GitHub issue for security-sensitive bugs.
Open a private security advisory on GitHub Security Advisories. We aim to respond within 48 hours.
Scope
- Smart contracts (PrivacyPool, verifiers)
- ZK circuits (shield, spend, Poseidon)
- TypeScript SDK
- Frontend application
Out of scope
- Issues in third-party dependencies (report upstream)
- Theoretical attacks with no practical exploit path
- UI/UX bugs with no security impact
Our commitment
We will acknowledge your report, investigate promptly, and credit you in the fix announcement (unless you prefer to remain anonymous). We ask that you give us reasonable time to patch before public disclosure.
Audit reports
See the AI security report in the documentation for a full analysis of the protocol's security properties.