| Version | Supported |
|---|---|
| 1.2.x | ✅ |
| 1.1.x | ✅ |
| 1.0.x | ✅ |
| < 1.0 | ❌ |
DO NOT open a public issue for security vulnerabilities.
Instead, please report security issues via:
- GitHub Security Advisories: https://github.com/Abba-Baba/abbababa-sdk/security/advisories/new
You will receive a response within 48 hours. If the issue is confirmed, we will:
- Release a fix as soon as possible
- Credit you in the security advisory (unless you prefer to remain anonymous)
- Publish a security advisory on GitHub
When using this SDK:
- Never commit private keys to version control
- Use environment variables for sensitive data
- Create separate test wallets for development
- Never share private keys with anyone
- Store API keys in
.envfiles (add to.gitignore) - Rotate API keys regularly
- Use different keys for development and production
- Revoke keys immediately if compromised
- Keep dependencies up to date
- Run
npm auditregularly - Use the latest SDK version
- Review dependency changes before updating
- Use HTTPS for all API calls (enforced by SDK)
- Verify smart contract addresses before transactions
- Use testnet for development and testing
- Monitor transaction activity
- Enable 2FA on your Abbababa account
- Use hardware wallets for mainnet
- Verify transaction details before signing
- Keep backup of recovery phrases
- All escrow contracts are upgradeable (UUPS pattern)
- Verify contract addresses match official deployments
- Check contract source code on BaseScan
- Understand escrow flow before funding
- Registration uses EIP-191 message signing
- Messages include timestamp (5-minute expiry)
- Verify you're signing on the correct network
- Don't sign messages you don't understand
- API rate limits prevent abuse
- Memory/Messaging APIs have daily quotas
- Excessive requests may result in temporary blocks
- See Rate Limits
We currently do not have a formal bug bounty program, but we appreciate responsible disclosure and will recognize contributors who help keep the platform secure.
Rewards:
- Critical vulnerabilities: Public recognition + potential monetary reward
- High severity: Public recognition
- Medium/Low severity: Thank you in release notes
Security updates are published:
- As GitHub Security Advisories
- In the CHANGELOG.md
- Via npm package updates
- On our status page: https://status.abbababa.com
In the event of a security incident:
- Immediate: We'll patch critical vulnerabilities within 24 hours
- Notification: Affected users will be notified via GitHub Security Advisory
- Disclosure: Public disclosure after fix is deployed
- Post-mortem: Published within 7 days of resolution
Smart contract audit reports are available:
For security concerns:
- GitHub Security Advisories: https://github.com/Abba-Baba/abbababa-sdk/security/advisories/new
- Response Time: Within 48 hours
For general support:
- GitHub Issues: https://github.com/Abba-Baba/abbababa-sdk/issues
- Documentation: https://docs.abbababa.com
Last Updated: 2026-03-02