This policy covers vulnerabilities in SolAST itself — the scanner, its CLI, and its library API (for example: a malicious Solidity input that crashes, hangs, or achieves code execution in the scanner; or output that could be used to mislead a reviewer).

It does not cover vulnerabilities in the smart contracts you scan. SolAST is a best-effort, heuristic static-analysis tool; its findings are not guarantees and are not a substitute for a professional audit. See the disclaimer in the README.

Please do not open a public GitHub issue for security reports.

Instead, report privately using one of:

• GitHub's private vulnerability reporting on this repository (Security → Report a vulnerability), or
• email security@snovon.com.

Please include:

• a description of the issue and its impact,
• a minimal proof of concept (e.g. the Solidity input or command that triggers it), and
• the SolAST version (solast --version) and your Node.js version.

• We aim to acknowledge a report within 5 business days.
• We will work with you on a fix and a disclosure timeline, and credit you in the release notes unless you prefer to remain anonymous.
• Please give us a reasonable window to release a fix before any public disclosure.

SolAST is pre-1.0 and evolving quickly. Security fixes are applied to the latest released version on the main branch. Older 0.x versions are not maintained; please upgrade to the latest release.