Please do not open a public GitHub issue for a security vulnerability.
Report suspected vulnerabilities privately via one of:
- GitHub private vulnerability reporting: Report a vulnerability
- Email:
security@iohk.io
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce, or a proof-of-concept
- The affected version(s) (release tag(s) if known)
- Any mitigations you're aware of
We aim to acknowledge reports within three business days and will keep you informed of the triage and remediation timeline.
In-scope targets:
- The Lace browser extension (all distributed channels: Chrome, Edge)
- The Lace mobile app (iOS, Android)
- The source code published in this repository
Out of scope:
- Third-party services referenced by the app (report to the service directly)
- Denial-of-service attacks against Input Output infrastructure
- Social engineering of Input Output staff
We prefer coordinated disclosure. Once a fix is available and released, we will publish an advisory through GitHub Security Advisories and credit the reporter (unless anonymity is requested).