Only the latest published QSDM Core and QSDM Hive releases receive security updates. Older or locally modified binaries must not be used for production funds, mining identities, treasury operations, or wallet recovery.
Do not open a public issue containing exploit details, credentials, private keys, wallet backups, or personal information. Use this repository's GitHub Security tab to submit a private vulnerability report. If private reporting is unavailable, contact the repository owner through GitHub without including the sensitive details until a private channel is established.
Include the affected version, component, reproduction conditions, impact, and the smallest safe proof needed to validate the report. Never test against wallets, nodes, or accounts you do not own or have explicit permission to use.
This repository is public source code. The following must remain outside Git:
- wallet keystores, passphrases, recovery material, and private inventories;
- signer bearer tokens, API keys, SSH keys, VPS credentials, and
.envfiles; - signed or unsigned treasury envelopes and local ledger/runtime state;
- encrypted custody archives, even when the archive itself has a password;
- private external repositories, deployment mirrors, and workstation copies.
Public wallet addresses, public keys, transaction IDs, audited funding plans, and redacted evidence may be committed when disclosure is intentional.
python scripts/check_secrets.py --worktree scans the publishable tree locally.
The pre-commit hook scans staged content, and GitHub Actions scans every tracked
file. These controls reduce risk but do not replace human review or key
rotation after an exposure.
Every third-party GitHub Action is pinned to a reviewed 40-character commit
SHA. python scripts/check_workflow_action_pins.py enforces that policy in the
Secret scan workflow so a mutable tag or branch cannot silently change CI code.
If a secret may have entered Git history, treat it as compromised immediately:
- disable or rotate the credential before rewriting history;
- move funds to a newly generated wallet when private-key exposure is possible;
- preserve a private incident record with timestamps and affected commits;
- remove the material from every reachable branch, tag, release, and cache;
- publish a scoped advisory after users have a safe upgrade or migration path.
Deleting a file in a later commit does not remove it from Git history.