ValidFi is a privacy-preserving health credential platform built on Stellar Soroban. Given the sensitive nature of health data and the critical importance of security in healthcare applications, we take security seriously and appreciate the security research community's efforts to responsibly disclose vulnerabilities.

We actively maintain and provide security updates for the following versions:

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, please report security vulnerabilities via:

1. Email: Send details to security@validfi.io (if available) or the project maintainers
2. GitHub Security Advisory: Use the Private Security Reporting feature

When reporting a vulnerability, please include:

• Type of vulnerability (e.g., smart contract exploit, authentication bypass, data exposure)
• Full path and location of the affected source file(s)
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact assessment - what an attacker could do with this vulnerability
• Your recommended remediation (if you have one)
• Your contact information for follow-up questions

• Initial Response: Within 48 hours of report submission
• Status Update: Within 7 days with assessment and estimated timeline
• Fix Timeline: Critical vulnerabilities will be addressed within 30 days
• Public Disclosure: After a fix is released and deployed, typically 90 days from initial report

We are considering a bug bounty program for the future. Stay tuned for updates.

• Use hardware wallets for storing significant health credential assets
• Never share your secret keys or seed phrases with anyone
• Verify contract addresses before interacting with smart contracts
• Enable multi-factor authentication where available
• Use official wallet applications only (Freighter, Albedo, LOBSTR)

• Review permissions before sharing health credentials
• Set appropriate expiration dates for shared credentials
• Monitor your verification history regularly
• Revoke access immediately if you suspect unauthorized access
• Use strong passwords for your ValidFi account
• Log out after each session on shared devices

• Minimize data sharing - only share what's necessary
• Use zero-knowledge proofs whenever possible to avoid revealing personal information
• Verify recipient addresses before sharing credentials
• Be cautious with public WiFi when accessing health records
• Keep your devices updated with the latest security patches

// Always validate inputs
if amount == 0 {
    return Err(Error::InvalidAmount);
}

// Check authorization before state changes
credential_owner.require_auth();

// Use safe math operations
let new_balance = current_balance.checked_add(amount)
    .ok_or(Error::Overflow)?;

// Implement access controls
if !is_authorized_authority(&env, &caller) {
    return Err(Error::Unauthorized);
}

// Validate credential expiration
if credential.expires_at < env.ledger().timestamp() {
    return Err(Error::CredentialExpired);
}

// Input validation with class-validator
@IsString()
@Length(1, 100)
@Matches(/^[a-zA-Z0-9-_]+$/)
credentialId: string;

// SQL injection prevention with TypeORM
const credential = await this.credentialRepository.findOne({
  where: { id: credentialId, userId: user.id }
});

// Rate limiting
@UseGuards(ThrottlerGuard)
@Throttle(10, 60) // 10 requests per minute
async getCredential() {}

// Sanitize user input
import { sanitize } from 'class-sanitizer';
@Transform(({ value }) => sanitize(value))

// Encrypt sensitive data before storage
const encryptedData = await this.encryptionService.encrypt(healthData);

// Validate wallet signatures
const isValid = await verifyWalletSignature(
  message,
  signature,
  publicKey
);

// Sanitize user inputs
import DOMPurify from 'isomorphic-dompurify';
const cleanHtml = DOMPurify.sanitize(userInput);

// Use environment variables for sensitive config
const apiUrl = process.env.NEXT_PUBLIC_API_URL;

// Implement CSRF protection
headers: {
  'X-CSRF-Token': csrfToken
}

// Secure session management
const session = await getServerSession(authOptions);
if (!session) {
  return redirect('/login');
}

Before submitting a PR, ensure:

• No hardcoded secrets, API keys, or private keys
• Input validation for all user inputs
• Authorization checks for sensitive operations
• Error messages don't leak sensitive information
• Dependencies are up to date
• Tests cover security-critical code paths
• Documentation updated for security-relevant changes
• No SQL injection vulnerabilities
• No XSS vulnerabilities
• CORS is properly configured
• Rate limiting is implemented
• Encryption is used for sensitive data
• Access control is enforced
• Audit logs for critical operations

• All state changes occur before external calls
• Use the checks-effects-interactions pattern
• Soroban's host environment provides protection against reentrancy

• Use checked_add, checked_sub, checked_mul for arithmetic
• Validate all numeric inputs

• Always verify caller authorization with require_auth()
• Implement role-based access control where appropriate
• Validate credential ownership before operations

• Be aware that env.ledger().timestamp() can be manipulated by validators
• Don't rely on exact timestamps for critical security decisions
• Use block numbers for time-based logic when possible

• JWT tokens stored securely (httpOnly cookies)
• Token expiration and refresh mechanisms implemented
• Role-based access control enforced
• Wallet signature verification for sensitive operations

• Health credentials encrypted at rest using AES-256
• Encryption keys stored in secure key management service
• TLS 1.3 enforced for all communications
• Regular security audits of encryption implementation

• Rate limiting on all endpoints
• Input validation and sanitization
• SQL injection prevention with parameterized queries
• CORS properly configured
• API keys rotated regularly

• All user input sanitized with DOMPurify
• React's built-in XSS protection utilized
• Content Security Policy headers implemented

• CSRF tokens for state-changing operations
• SameSite cookie attribute set
• Origin validation on backend

• Verify all transaction details before signing
• Display clear warnings for sensitive operations
• Implement transaction simulation before execution

• Algorithm: AES-256-GCM
• Key Management: AWS KMS / HashiCorp Vault
• Key Rotation: Every 90 days
• Backup Encryption: Separate encryption key

• Protocol: TLS 1.3
• Certificate: Let's Encrypt / DigiCert
• Cipher Suites: Only strong ciphers enabled
• HSTS: Enabled with max-age=31536000

• IPFS: Encrypted before upload with user's public key
• On-Chain: Only credential hash and metadata stored
• Zero-Knowledge Proofs: No raw health data revealed

• Smart contract security audit by [Audit Firm] - Q3 2026
• Backend penetration testing - Q4 2026
• Zero-knowledge proof verification - Q1 2027

• None yet (new project)

• HIPAA Compliance: Encryption, access controls, audit logs
• GDPR Compliance: User data rights, data portability, right to erasure
• HITECH Act: Electronic health record security

• OWASP Top 10: All vulnerabilities addressed
• CWE Top 25: Dangerous software weaknesses mitigated
• NIST Cybersecurity Framework: Risk management alignment

• Automated monitoring with Sentry, Datadog
• Smart contract event monitoring
• Unusual activity alerts

1. Identify: Confirm security incident
2. Contain: Isolate affected systems
3. Eradicate: Remove threat and vulnerabilities
4. Recover: Restore systems to normal operation
5. Learn: Post-incident analysis and improvements

• Users notified within 72 hours for data breaches
• Public disclosure after fix is deployed
• Transparency report published quarterly

• Soroban Security Best Practices
• OWASP Top 10
• Stellar Security Guide

• Smart Contract Analysis: Soroban CLI, Rust Analyzer
• Dependency Scanning: Dependabot, Snyk
• SAST: SonarQube, Semgrep
• DAST: OWASP ZAP, Burp Suite

• Regular security training for all contributors
• Smart contract security workshops
• Incident response drills

Title: Credential Sharing Access Control Bypass

Description: An attacker can access shared health credentials after 
the sharing period has expired due to missing expiration validation 
in the verification endpoint.

Steps to Reproduce:
1. User A shares credential with User B for 24 hours
2. Wait 25 hours for sharing to expire
3. User B can still access the credential via /api/v1/verification/:id

Impact: Unauthorized access to expired health credentials, privacy violation

Suggested Fix: Add expiration time validation in verification middleware

Proof of Concept: [code snippet]

Title: Security bug

Description: Your website is vulnerable

Steps: Just hack it

Impact: Bad

For security-related questions or concerns:

• Email: security@validfi.io
• GitHub: https://github.com/GuardZero144/ValidFi/security
• Discord: [Security channel on Discord]

Last Updated: June 2026
Version: 1.0.0

Thank you for helping keep ValidFi and its users safe!