Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in Meridian, please report it responsibly:

1. Email: Send details to security@meridian.finance (or the repository owner)
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact assessment
   • Suggested remediation (if any)

• Acknowledgment: Within 48 hours of your report
• Initial Assessment: Within 5 business days
• Status Updates: At least weekly until resolution
• Resolution Timeline: Depends on severity (see below)

We consider security research conducted in accordance with this policy to be:

• Authorized under the Computer Fraud and Abuse Act
• Exempt from DMCA provisions
• Conducted in good faith

We will not pursue legal action against researchers who:

• Follow responsible disclosure practices
• Avoid privacy violations and data destruction
• Do not exploit vulnerabilities beyond proof of concept

When using Meridian:

• Never commit .env files with real credentials
• Use strong, unique passwords for all services
• Rotate API keys and secrets regularly
• Enable 2FA where available

• Use HTTPS in production (enforced via HSTS)
• Configure proper CORS origins
• Enable rate limiting
• Monitor logs for suspicious activity

• Verify contract addresses before interaction
• Review transaction details before signing
• Use hardware wallets for significant holdings
• Stay updated on security advisories

We track known security issues in our internal tracker. Critical issues affecting production are disclosed after patches are available.

We appreciate the security research community and maintain a hall of fame for responsible disclosures (with researcher permission).

For security concerns: security@meridian.finance For general questions: Open a GitHub discussion