Stellopay Core manages payroll escrow and related Soroban contracts on Stellar. If you believe you have found a security vulnerability, please report it responsibly.

Security fixes are applied to the main branch and released through reviewed pull requests. Use the latest main commit or the most recent tagged release when deploying to production networks.

In scope:

• All Soroban contracts under onchain/contracts/, including payroll, escrow, governance, RBAC, compliance, payment scheduling, vesting, and supporting modules.
• Cross-contract integration behaviour covered by onchain/integration_tests/.
• tools/cli when a finding affects deployment, upgrade, or contract interaction safety.

Out of scope:

• Third-party wallets, RPC providers, and Stellar network infrastructure outside this repository.
• Social engineering, physical attacks, or denial-of-service against public endpoints not maintained in this repo.
• Issues in forked or unpublished contract deployments that diverge from main without disclosure.

Do not open a public GitHub issue for security vulnerabilities.

Report privately using one of these channels:

1. GitHub private vulnerability reporting (preferred)
   Open a private security advisory on this repository.

2. Security issue template
   Use the Security report template only if private advisory reporting is unavailable. Mark the issue as sensitive and avoid posting exploit details, keys, or mainnet transaction data in the body.

Include:

• A clear description of the issue and affected contract or tool path.
• Steps to reproduce, including network (testnet/mainnet) and contract IDs if relevant.
• Impact assessment (fund loss, auth bypass, upgrade abuse, etc.).
• Proof of concept if available, preferably against testnet.

• Acknowledgement within 5 business days for valid reports.
• Status updates as the report is triaged and remediated.
• Coordination on disclosure timing so users can patch before public details are shared.

We support good-faith security research on testnet and local environments. Do not test against mainnet funds you do not own, do not exfiltrate user data, and do not degrade production services.

• Threat model
• Security testing tools
• Emergency pause
• Upgrade entrypoint security