CertChain is a hackathon-stage project (TrustMint · Hack4FUTO 5.0). We still take security seriously — please report vulnerabilities responsibly.
- Do not open a public issue for security reports.
- Open a private GitHub security advisory on this repo, or contact the TrustMint team directly.
- Include the affected component, a description, and reproduction steps (or a failing test) where possible.
- In scope: the Anchor program (
programs/certchain) and the helper scripts (scripts/). - Out of scope: third-party dependencies (report upstream), and the off-chain frontend (separate repository).
- The program stores only a SHA-256 hash plus key fields on-chain — no secrets.
- A credential's address is a pure function of its hash (
seeds = [b"credential", credential_hash]), so duplicate issuance of the same hash fails atinitby design. - Credentials are immutable in Sprint 1 — there is no update or close instruction yet.