Responsible Disclosure

Navcoin is experimental technology and sometimes critical bugs are found. If you’re a researcher and you’ve found a critical vulnerability here’s how you can talk securely with the Navcoin Core developers.

Disclosure Procedure

If you think you’ve found a critical vulnerability in Navcoin’s protocol, please don’t hesitate to contact the Navcoin Core developers. We are committed to coordinating with you and any other affected parties to ensure any disclosure is handled discreetly and in a timely manner.

The best place to report the vulnerability is to disclosure@navcoin.org. You can encrypt your message with the GPG key found on the Navcoin GitHub.

Disclosure GPG Key

https://github.com/NAVCoin/public-keys/blob/master/org.navcoin.disclosure.pub

Ideally the disclosure would include:

  • A docker image with python tests showing the vulnerability
  • Detailed notes about the vulnerability and affected parts of the code
  • Suggested mitigation strategies.
  • Your GPG public key so we can securely reply to you.

If you’re unable to communicate with this way please reach out any of the admins on the Navcoin Discord channel and we will setup a secure private channel with you.