If you discover a security vulnerability in Mantle, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, email security@dvflw.dev with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Triage: Within 7 business days
- Fix: Depends on severity, typically within 30 days for critical issues
| Version | Supported |
|---|---|
| 0.1.x | Yes |
We follow coordinated disclosure with a 90-day window. After reporting:
- We acknowledge receipt and begin investigation
- We develop and test a fix
- We release the fix and publish an advisory
- You may disclose publicly after the fix is released, or after 90 days, whichever comes first
The following areas are in scope for security reports:
- Authentication bypass (API key, OIDC)
- Cross-tenant data access or modification
- Credential exposure or decryption
- Injection vulnerabilities (SQL, CEL expression, JSON)
- Unauthorized workflow execution or cancellation
- Secret exfiltration through expressions or logs
- Privilege escalation in RBAC
- Denial of service through resource exhaustion (please report, but these are lower priority)
- Issues in dependencies (report upstream; let us know if it affects Mantle)
- Social engineering