Skip to content

Security: block/model-ledger

SECURITY.md

Security Policy

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues.

Instead, report them privately via the repository's Security tab → Report a vulnerability (GitHub's private vulnerability reporting).

For assistance or escalation, contact the Block Open Source Governance Committee.

Scope notes

model-ledger stores model inventory metadata. A few boundaries worth knowing when assessing impact:

  • The ledger trusts its callers: record() accepts arbitrary payloads, and the REST API does not ship authentication — deployments are expected to run it behind their own auth layer (see the backends guide).
  • Snapshot hashes provide content addressing and tamper evidence for snapshot payloads, not a cryptographic chain over the full event history — see guarantees for the precise integrity model.

Supported versions

Security fixes land on main and ship in the next release; older releases are not patched retroactively.

There aren't any published security advisories