This document explains the Succinct's process for handling issues reported and what to expect in return.

You can find audits of SP1 here.

Security advisories for SP1 can be found here.

All security bugs in SP1's production distribution should be reported through the SP1 Bug Bounty program on code4rena here.

If you need to contact the SP1 team by email regarding security, please use the address [email protected].

Depending on the nature of your issue, it will be categorized as an issue in the PUBLIC, PRIVATE, or URGENT track.

Issues in the PUBLIC track affect niche configurations, have very limited impact, or are already widely known.

PUBLIC track issues are fixed on the dev branch, and get backported to the next scheduled minor releases.

Issues in the PRIVATE track are violations of committed security properties.

PRIVATE track issues are fixed in the next scheduled minor releases, and are kept private until then.

Days before the release, a pre-announcement is sent to partners, announcing the presence of a security fix in the upcoming releases, and which component in SP1 is affected (but not disclosing any more details).

URGENT track issues are a threat to the SP1 ecosystem's integrity, or are being actively exploited in the wild leading to severe damage.

URGENT track issues are fixed in private, and trigger an immediate dedicated security release, possibly with no pre-announcement.

The SP1 project uses the following disclosure process:

• Once the security report is received it is assigned a primary handler. This person coordinates the fix and release process.
• The issue is confirmed and a list of affected components is determined.
• Code is audited to find any potential similar problems.
• Fixes are prepared for the next major and minor releases.
• On the date that the fixes are applied, issues are disclosed as security advisories on the repository and partners are notified.

This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the bug in as timely a manner as possible, however it's important that we follow the process described above to ensure that disclosures are handled consistently.

Vulnerabilities should be kept private until otherwise communicated by the Succinct team. This policy is to ensure a fix can be made in private and not be actively exploited.

This document is based on the Gnark Security Policy.