Do not report security vulnerabilities through public GitHub Issues, Pull Requests, or Discussions.

Report security vulnerabilities privately through the established ArcBlock or Blocklet security contact for your organization. If you do not already have a private reporting channel, contact blocklet@arcblock.io and include a short description of the affected component, impact, and reproduction details.

This public source repository is provided for transparency, self-hosting, auditing, and reference use. Security support applies to versions that are actively operated or distributed by ArcBlock or by your organization under a support agreement.

Self-hosted deployments are responsible for applying updates, rotating credentials, and securing their own infrastructure.

This repository does not define a public bug bounty program. Any bounty or reward terms must be confirmed through a private ArcBlock security channel before testing begins.