Security Policy
Monolythium values the work of security researchers who help keep the protocol and ecosystem safe. This document describes how to report vulnerabilities, what to expect during the process, and the scope of our security program.
Reporting a Vulnerability
If you discover a security vulnerability in any Monolythium component, please report it privately rather than creating a public GitHub issue or disclosing it on social media.
Email: security@monolythium.com
Public disclosure of unpatched vulnerabilities puts users at risk. Always use the private reporting channel above. We will coordinate public disclosure with you after a fix is deployed.
What to Include
A good vulnerability report helps us triage and fix the issue quickly. Please include as much of the following as possible:
- Description -- A clear explanation of the vulnerability and what it allows an attacker to do
- Steps to reproduce -- Detailed, step-by-step instructions to trigger the vulnerability
- Affected component -- The specific repository, module, contract, or service affected
- Affected version -- The software version or commit hash where the vulnerability exists
- Potential impact -- Your assessment of the severity and what could be exploited
- Proof of concept -- Code, transaction hashes, or screenshots demonstrating the issue
- Suggested fix -- If you have a recommendation for how to resolve the issue (optional)
Response Timeline
We aim to respond to all security reports promptly:
| Stage | Target Timeline |
|---|---|
| Acknowledgment | Within 24 hours of report submission |
| Triage | Within 72 hours -- initial severity assessment and confirmation |
| Fix development | Depends on severity (see table below) |
| Disclosure | Coordinated with reporter after fix is deployed |
Fix Timelines by Severity
| Severity | Target Fix Timeline | Examples |
|---|---|---|
| Critical | 7 days | Fund theft, consensus bypass, private key exposure |
| High | 14 days | Denial of service, significant state corruption, access control bypass |
| Medium | 30 days | Information disclosure, non-critical logic errors, limited impact exploits |
| Low | 90 days | Minor issues, edge cases with negligible impact, cosmetic security items |
These timelines are targets. Complex issues may require additional time. We will keep reporters updated on progress throughout the remediation process.
Scope
In Scope
The following components are covered by this security policy:
| Component | Repository / Location |
|---|---|
Core chain (monod) | mono-labs-org/mono-chain |
| LythiumBFT consensus | mono-labs-org/lythiumbft |
| Smart contracts | mono-labs-org/monolythium-contracts |
| Desktop Wallet | mono-labs-org/monolythium-desktop-wallet |
| Mobile Wallet | mono-labs-org/monolythium-mobile-wallet |
| Browser Extension | mono-labs-org/monolythium-browser-wallet |
| Monoscan Explorer | mono-labs-org/monoscan |
| MonoHub Frontend | mono-labs-org/monohub-frontend |
| Indexer / API | mono-labs-org/monolythium-indexer |
Out of Scope
The following are not covered by this policy:
- Third-party integrations and external protocols
- Social engineering, phishing, or physical attacks
- Denial-of-service attacks against public infrastructure (DDoS)
- Issues in dependencies that have already been reported upstream
- Bugs in third-party wallets (MetaMask, Trust Wallet, Keplr) unless caused by Monolythium-specific code
- Content or UI issues that do not have a security impact
Safe Harbor
Monolythium will not pursue legal action against security researchers who:
- Act in good faith and follow this disclosure policy
- Do not access, modify, or delete user data or funds
- Do not disrupt production services or degrade network performance
- Do not access production validator infrastructure
- Report findings privately and allow reasonable time for remediation
If you are unsure whether your research falls within these guidelines, contact us at security@monolythium.com before proceeding. We are happy to clarify scope.
Recognition
Researchers who responsibly disclose valid vulnerabilities will be:
- Acknowledged in the release notes for the version that includes the fix (with your permission)
- Listed on this page in a future Hall of Fame section (with your permission)
- Eligible for rewards through the Bug Bounty program
We will never publish your name or details without your explicit consent.
Further Reading
- Security Audits -- Audit history and ongoing security practices
- Bug Bounty -- Community bug reporting program with LYTH rewards