If you discover a security vulnerability in VERIDD, please do NOT open a public issue.
Contact the team privately via:
- Email: veridd-security@googlegroups.com
- GitHub: Create a private advisory at https://github.com/xi-kki/veridd/security/advisories
All API keys, tokens, and private keys must be loaded from environment variables or a secret manager.
Bad:
const TOKEN = 'vcp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx'; // ❌Good:
const TOKEN = process.env.VERCEL_TOKEN; // ✅
if (!TOKEN) throw new Error('VERCEL_TOKEN not set');.envis in.gitignore— use.env.exampleas a template- Never commit real API keys, wallet private keys, or RPC URLs with credentials
- Never log: private keys, API tokens, passwords, mnemonics
- Use structured logging with redaction for production
- All contract inputs validated before sending transactions
- API responses are parsed with try/catch to prevent JSON.parse crashes
- User inputs validated for length and content
- Avoid
dangerouslySetInnerHTMLwhere possible - When SVG/HTML icons are necessary, use strict allowlists
- Sanitize user-generated content before rendering
- All hardcoded secrets removed from source code
-
.envfiles in.gitignore - API tokens loaded from environment variables
- Console.log statements reviewed (no sensitive data)
- Dependencies scanned for vulnerabilities (
npm audit) - Git history scanned for secrets (
gitleaks detect --source=.) - Smart contracts audited for common vulnerabilities
- Input validation on all user-facing forms