The security of Story is critical. If you discover any security vulnerabilities, we appreciate your help in responsibly disclosing them to us.

Please do not file a public ticket mentioning the vulnerability.

We are in the process of setting up a bug bounty program. This document will be updated when ready, and the program will be announced on our channels.

We recommend to wait for the program to be ready for reporting, but if you find a vulnerability that will put the network at risk, please send an email to [email protected]. We kindly request that you provide us with the following details:

• A clear description of the vulnerability and its potential impact.
• Steps to reproduce the vulnerability.
• Any additional information or proof of concept that can help us understand and address the issue.

If applicable, rewards will be provided through the bug bounty program when ready.

There is a series of known issues reported by our our multiple auditors. Please review our audit reports to make sure you are not reporting a duplicate.

Folders:

• geth: audits of the original geth codebase
• story: Story network audits (scope includes Story Geth, Story Consensus Client and Cosmos fork, please refer to the relevant issues for this repository)

Story has undergone a public audit competition by Cantina. We will publish the report as soon as the judging period is over. Please be advised that there is a high chance that your reported vulnerability can be a duplicate if you do it before we publish the report.

We believe in responsible disclosure and request that you refrain from publicly disclosing any vulnerabilities until we have had sufficient time to investigate and address them. We appreciate your cooperation in helping us maintain the security and integrity of our blockchain network.

Please note that this document is subject to change and may be updated as our security practices evolve. We encourage you to check back regularly for any updates or changes.