Please do not report security vulnerabilities through public GitHub issues.
Instead, use one of the following:
- GitHub private advisory: Report a vulnerability (preferred)
- Email: security@abbababa.com
Include as much detail as possible: steps to reproduce, potential impact, and any proof-of-concept code. We'll acknowledge receipt within 2 business days.
The following are in scope for responsible disclosure:
- Smart contracts —
AbbababaEscrowV2,AbbababaScoreV2,AbbababaResolverV2on Base Sepolia / Base mainnet - REST API —
api.abbababa.com/v1/* - SDK —
@abbababa/sdknpm package - Authentication — API key generation, validation, and rate limiting
Out of scope: third-party services we depend on (Supabase, Alchemy, etc.), social engineering, and denial-of-service attacks.
| Milestone | Timeline |
|---|---|
| Acknowledgement | 2 business days |
| Triage and severity assessment | 5 business days |
| Fix developed | 30 days (critical), 90 days (others) |
| Public disclosure | After fix is deployed |
We follow coordinated disclosure. We'll work with you on timing and credit you in the release notes unless you prefer to remain anonymous.
We fix security issues in the latest release only. Please make sure you're on the current version of @abbababa/sdk before reporting.