-
-
Notifications
You must be signed in to change notification settings - Fork 795
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' into venom/pick
- Loading branch information
Showing
207 changed files
with
6,707 additions
and
4,869 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,72 +2,35 @@ | |
|
||
## Supported Versions | ||
|
||
Vyper is currently in limited beta. | ||
This means that we only support the latest release and that you may encounter issues using it. | ||
It is un-audited software, use with caution. | ||
- it is recommended to follow the list of known [vulnerabilities](https://github.com/vyperlang/vyper/security/advisories) and stay up-to-date with the latest releases | ||
- as of May 2024, the `0.4.0` release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments | ||
- if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated (see the examples below). | ||
- `example1`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found in `0.4.0`, then a patch will be released in `0.4.1` | ||
- `example2`: suppose `0.4.0` is the latest version and a hypothetical vulnerability is found both in `0.3.10` and `0.4.0`, then a patch will be released only in `0.4.1` | ||
|
||
## Audit reports | ||
## Compiler Audits | ||
|
||
Vyper is constantly changing and improving. | ||
This means the latest version available may not be audited. | ||
We try to ensure the highest security code possible, but occasionally things slip through. | ||
- Vyper conducts recurring security audits with multiple firms. Additionally, a competitive audit with [CodeHawks](https://www.codehawks.com/contests/cll5rujmw0001js08menkj7hc) was conducted during the fall of 2023. | ||
- all Vyper audits can be found in a separate repository: [vyperlang/audits](https://github.com/vyperlang/audits) | ||
|
||
### Compiler Audits | ||
|
||
At specific releases, we conduct audits with experienced security professionals to ensure that the codebase quality is high, | ||
and that we minimize the chance of critical bugs as much as possible. | ||
## Known Vyper Vulnerabilities | ||
|
||
Here are the audits we have undergone in the past: | ||
|
||
| Audit Type | Audit Date | Auditor | Version | Report Link | | ||
| ---------- | ---------- | ------- | ------- | ----------- | | ||
| Preliminary Review | October 28, 2019 | [ConsenSys Diligence](https://consensys.net/diligence/) | 0.1.0b13 | https://consensys.net/diligence/audits/2019/10/vyper/ | | ||
|
||
### Major Project Audits | ||
|
||
Please read prior audit reports for projects that use Vyper here: | ||
|
||
<!-- Please use the tagged version if possible, or commit hash if a non-tagged version was used. --> | ||
|
||
| Project | Version | Report Link | | ||
| ------- | ------- | ----------- | | ||
| [Uniswap](https://uniswap.io) | 35038d2 | https://medium.com/consensys-diligence/uniswap-audit-b90335ac007 | | ||
| [Computable](https://github.com/computablelabs/computable) | 0.1.0b10 | https://github.com/trailofbits/publications/raw/master/reviews/computable.pdf | | ||
|
||
## Known Vyper Vulnerabilities and Exposures (VVEs) | ||
|
||
The link below is a list of all publicly disclosed vulnerabilities and exposures. | ||
- The link below lists all publicly disclosed vulnerabilities and exposures. | ||
Best Practices dictate that when we are first made aware of a potential vulnerability, | ||
we take the precaution of assessing it's potential impact to deployed projects first. | ||
When we are confident that a disclosure will not impact known projects that use Vyper, | ||
we take precautions by assessing its potential impact on deployed projects. | ||
When we are confident that disclosure will not impact known projects that use Vyper, | ||
we will add an entry to the list of security advisories for posterity and reference by others. | ||
|
||
https://github.com/vyperlang/vyper/security/advisories | ||
- list of publicly known vulnerabilities: https://github.com/vyperlang/vyper/security/advisories | ||
|
||
## Reporting a Vulnerability | ||
|
||
If you think you have found a security vulnerability with a project that has used Vyper, | ||
please report the vulnerability to the relevant project's security disclosure program prior | ||
to reporting to us. If one is not available, submit it at https://github.com/vyperlang/vyper/security/advisories. | ||
## Bug Bounty Program | ||
- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one soon. | ||
|
||
**Please Do Not Log An Issue** mentioning the vulnerability. | ||
## Reporting a Vulnerability | ||
|
||
If you have contacted the relevant project, or you have found something that you do not think affects | ||
a particular project, please also email your vulnerability to [email protected]. Our PGP key is: | ||
``` | ||
-----BEGIN PGP PUBLIC KEY BLOCK----- | ||
Version: OpenPGP.js v4.7.2 | ||
Comment: https://openpgpjs.org | ||
- If you think you have found a security vulnerability caused by the compiler with a project that has used Vyper, | ||
please report the vulnerability to the relevant project's security disclosure program before reporting to us. Additionally, please privately disclose the compiler vulnerability at https://github.com/vyperlang/vyper/security/advisories. | ||
|
||
xjMEXiC9KhYJKwYBBAHaRw8BAQdAMMsB1qaofcbuG5/4Hmm1GD8M+2lKJ50B | ||
YI2G44/nquDNK3Z5cGVyLXNlY3VyaXR5QHBtLm1lIDx2eXBlci1zZWN1cml0 | ||
eUBwbS5tZT7CeAQQFgoAIAUCXiC9KgYLCQcIAwIEFQgKAgQWAgEAAhkBAhsD | ||
Ah4BAAoJENARd3wFTk2lbdIBALELumbNOvueWQJSN8g+AYmb2i2XGDkuhWB0 | ||
ZK8maVfpAPwINHjx8vmNZ2T/aML2dpmaL7h2g13OTDjt1nYeTMVCD844BF4g | ||
vSoSCisGAQQBl1UBBQEBB0A7Lb7v2tyRBAasuwwzF94OzrbqVybJ5cgxsO3F | ||
N+XKBAMBCAfCYQQYFggACQUCXiC9KgIbDAAKCRDQEXd8BU5NpRLzAQC+gaZ6 | ||
lg4OrPFHOK9zYqbQ0zpx+tadKaEoo51jzsjCLgEAmp01XCX7/0Ln1TtUFzMy | ||
fRy18qk7KR6zOg2RRch5gQQ= | ||
=O37G | ||
-----END PGP PUBLIC KEY BLOCK----- | ||
``` | ||
- **Please Do Not Log An Issue** mentioning the vulnerability. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.