# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |
| < 0.1   | :x:                |

## Reporting a Vulnerability

**DO NOT** create a public GitHub issue for security vulnerabilities.

### Bug Bounty Program

For vulnerabilities in scope of our bug bounty program, please report via:

**[Immunefi](https://immunefi.com/bounty/synor)** (Preferred)

Rewards range from $500 to $100,000 depending on severity.

See [docs/BUG_BOUNTY.md](docs/BUG_BOUNTY.md) for full program details.

### Direct Reporting

For issues not suitable for the bug bounty program:

**Email:** security@synor.cc

Include:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Your contact information

### PGP Key

For encrypted communication:

```
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Key will be added when available]
-----END PGP PUBLIC KEY BLOCK-----
```

## Response Timeline

| Action | Timeframe |
|--------|-----------|
| Acknowledgment | 24 hours |
| Initial assessment | 72 hours |
| Status update | Weekly |
| Fix release | Depends on severity |

## Security Best Practices

When running a Synor node:

1. **Keep updated** - Always run the latest stable version
2. **Secure RPC** - Don't expose RPC to public internet without authentication
3. **Firewall** - Only allow necessary ports (17511 P2P, 17110 RPC)
4. **Backups** - Regularly backup your wallet and node data
5. **Keys** - Never share private keys or seed phrases

## Known Security Audits

| Date | Auditor | Scope | Report |
|------|---------|-------|--------|
| *Pending* | *TBD* | Full Protocol | *TBD* |

## Disclosure Policy

We follow responsible disclosure:

1. Reporter notifies us privately
2. We acknowledge and assess
3. We develop and test a fix
4. Fix is deployed
5. Public disclosure after 30 days (or sooner if coordinated)

## Security Advisories

Security advisories will be published at:
- [GitHub Security Advisories](https://github.com/synor/synor/security/advisories)
- [Blog](https://synor.cc/blog)
- [Discord](https://discord.gg/synor) #announcements

## Hall of Fame

We thank the following researchers for responsible disclosure:

*No reports yet - be the first!*