Do not disclose any bug or vulnerability on public forums, message boards, mailing lists, etc. prior to responsibly disclosing to Nighthawk Team and giving sufficient time for the issue to be fixed and deployed. Do not execute on or exploit any vulnerability.
Reporting a Bug or Vulnerability
When reporting a bug or vulnerability, please provide the following to email@example.com
A short summary of the potential impact of the issue (if known). Details explaining how to reproduce the issue or how an exploit may be formed. Your name (optional). If provided, we will provide credit for disclosure. Otherwise, you will be treated anonymously and your privacy will be respected. Your email or other means of contacting you. A PGP key/fingerprint for us to provide encrypted responses to your disclosure. If this is not provided, we cannot guarantee that you will receive a response prior to a fix being made and deployed.
Encrypting the Disclosure
We highly encourage all disclosures to be encrypted to prevent interception and exploitation by third-parties prior to a fix being developed and deployed. Please encrypt using the PGP public key with fingerprint:
There are some known areas for improvement:
lightwalletd is under active development, some features are more stable than others. The code has not been subjected to a thorough review by an external auditor, and recent code changes have not yet received security review from Electric Coin Company’s security team.
Developers should familiarize themselves with the wallet app threat model, since it contains important information about the security and privacy limitations of light wallets that use lightwalletd.
See the Wallet App Threat Model for more information about the security and privacy limitations of the wallet.