1# Security 2 3The maintainers of libwally take security very seriously and are committed to addressing any disclosed security vulnerabilities quickly and carefully. If you find a security vulnerability, please report it to us following the steps described here. 4 5## Reporting a Vulnerability 6 7Privately and confidentially send us a description of the vulnerability that you have discovered using an encrypted and authenticated channel. PGP encrypted email is preferred. Our contact information is given below. 8 9In your report, please include as much information as you can, including: 10 11* a description of the vulnerability and how it could be exploited 12* its potential impact (e.g. privacy leak, denial of service, theft of funds) 13* steps or code for reproducing it 14* a proposed patch for remedying it 15 16Also, provide us with a secure means to contact you with any follow up questions we might have. 17 18## Considerations 19 20Please take care not to violate the privacy of users in your report. For example, stack traces or exploit scripts sent to us should never contain private keys or personally identifiable information. 21 22Give us at least one week to investigate the vulnerability you found and up to 90 days to fix it. Also, please give us reasonable advanced notice if at any point you intend to disclose the vulnerability to anyone else. 23 24In general, please investigate and report bugs in a way that makes a reasonable, good faith effort not to be disruptive or harmful to us, this software's users, or the users of dependent projects. 25 26We will take care to inform the maintainers of dependent projects. 27 28## How to Contact Us 29 30### Primary Contact 31 32Jon Griffiths 33jgriffiths@blockstream.com 34 35Please use the following PGP key for communication: 36 37 38``` 39Email: Jon Griffiths <jon_p_griffiths@yahoo.com> 40Fingerprint: 129EE55E90E6E7BB5ED3530DFD9FCBA3C53CED20 41 42-----BEGIN PGP PUBLIC KEY BLOCK----- 43 44mQINBFcpb6cBEACshfpRfpq1su/TdjBphD1kBeyJbU5FhsX3LbOmyWERcvqH8ES8 45tKd0oVrt8pGj1R+GLrmT/bKA0qizsKzB46ErkCFqTrZIJc7c/dXB/N3ZqwRLi6zH 46kfA9llqEd1fHCjFpNAGE9KFHqdVq2MGw0tCqRmOX+2ny0PqEe8mluCZV5drsDq4M 47DDUVQPGP8JG0Z0J03jyOCHWz5D7E7vGazl5RhMZu2109xEM26vevUd1y8QLsjWLS 48vyFjNKEgNGkxQnJ3JL5JLnlduiZQS8lM2KIpZw8G8sxtE4iuc/FQLWy6F9Mb23mg 49eL9OYxVhY9/QS0EUS48/lqc2oxGHnDCn1U5jUK9ihMwLupgY8glCqXtHf0jqVDjV 50QThqHVdxRqYuvlgaRSDf7YKgV8QOG0/j2o0u0Ums7zfA+yvtO0rgqKpb7SgQU3cx 51y+JX1Ko8Aoa/KQEv44LuRLwBZ7B3WmBcitv/YHtdYFyYADCMwKaojG5Rh7sxgwgp 523788Rm81EpqjNlj1IoFBQ4UU7aRgcXnngUTSY3JTZ8XEmvH6Q1i51L7nfXcg1Nkz 53E1Fuz4NGedh2iwHmGLUxkSqUgyavvmZ+OxiVr/lxIEKKEbR+nuE5yP6dk3Uv8RjA 54/l+Ak1Tu6EWvCYFMPb4asOtKu2Z09gpXabeyMC17hsHsAfmqEkSKdgZzcQARAQAB 55tClKb24gR3JpZmZpdGhzIDxqb25fcF9ncmlmZml0aHNAeWFob28uY29tPokCPQQT 56AQIAJwIbAwUJAeEzgAIeAQIXgAUCVylwhwULCQgHAwUVCgkICwUWAgMBAAAKCRD9 57n8ujxTztII8qD/4zlQ6q5lwBHkyO2ZiDkh33kKllUg2DdbYG7or6W8GAxWs7Naap 58SRjKzsh6j2emP1SWTKi/wRSiqk7xO7FLD29OTuIMYTox6QPm/hTLw5GqQ8z84lJ0 59cIn+l3ntxW10l062nsp/bfVIt6vg06RbQtppdp16Ki6EhYLojsZ5F8K9+55wc055 60OBll4QNGy/jcdyfYtjrddTadnqjjBEub8sx5cCqfSQiqAY/rIAa5DqMcvf6DS56L 610uLpcIDNn9knc3STQUTKlide1tYOSEUYsE705FGlrY0tJzvt2lHKq8xfaj4mOHx0 62k9Ji5HiSrTM+PBcYZ/mdQgw3JTLaOyPCpw8zIUJKudkqiBYAVUJjQfHHq7YsmMUg 63dqQmjG5Mu99+YYNRhMoCGcrFdsbtrpS4F/vf/WSYstzw8NXIcroFB/68IYWqaeSM 64sGVXpV7wKmeNSnaz1xBrdVhD+2m9Kyg9fttfPHLyN3iQipoFDGyBGeL5Iej+Nn4K 65MR6fT1lxQilLBrtTv6rdWMIPDbiey0nUSRC6IkFlPB8R+fFdUx9gNSARzkZrl7lr 66s0yuEV+6BWfxPwcYlNSfJJEovOVvbogvlx2NTVzXCXd6o4sdH6CKPTeAoIHPUJ+8 67zLQAq8C6bWa/AyfDZzymFraiiwA6SDb3yWUpQPQFyqGPTC5cm/pD/IOJvIkCPgQT 68AQIAKAUCVylvpwIbAwUJAeEzgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQ 69/Z/Lo8U87SCaSg//am7TvXy1SX13kCHrzeU933z1d81MMFHI47mvBYb1OzYROM5z 70SVD/82XI6kYbzPAf74Tc2BlaeEKP5pfoSjGT5x97o14tx3HuYG5LVjVpgCxI1yuP 71XzyLRU9JWJBMkeWC8obZd/4P0iFELylLC570LuKsMx1G00Luxsy2xXXSCOhdJY9f 72598qehqACTKCXYLMUspGqgC/nJDCUAzi+mXqybdhTh9Dd5sFL0OIL+/NIDlT4/HE 73KOBK1lVBUQiH5TJLhaaRijXlUTYntBba5uu0j/PUNYJ+FKVp/YNcA7QPJQOpVxjX 74RaNgN+65UswA5SQmbr+k5pXmBhIFW9Q0pW6C5c4bLrH9p7jneJJQJlOevf3WGnjm 759Qkubmz9COwzmBMMqixNoHtElsjAwWs/o1W6va+qcTwkrGfyQMMS8pZEc0WWAaO5 760MrOyhc3Bz+MV5/lWeV10zR8SHGjXQSoE/zlKi7rKtZr9jLg3A3JabH54LmTbbHT 77ARK4GWYXMqrCAzN+Fn2AQvOoU3xA3HEatKDxoPd9tGRmr8if/jEkjlJ336E/oPq7 78hxEX42qKyqbW6WED937eSuKIZoMGusdp0S778NOa9E+KyizARAUui50PAeL15K9G 79h+0VRx4VxWyFk8Ra/bVs9CmDUciMmV2wx87LAU+30ak2K2M29Vkhlm8/zB+JAj4E 80EwECACgCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJZCv4qBQkDwsHuAAoJ 81EP2fy6PFPO0gBGIP/3zw8WZRURPQfQ0hC8UQc96uaPU7IBQrMXDBj+y8XBNLCFJX 82UhT3rS1wlN5foCt0DxkgLIAU73GUJ0Q7qG0Vcap7YWSpcw6y6Ih7vxVRzAqe8nfC 83IznSK28uhJgVErelNLOYLqiV3nO5oHOSVLL95JwvexPw/zIkbSQwr7mX/Rica8iG 84qEGXqRgjasgLz0BhR7OozzgdXHmVcwtQ2x9t5ySso/doj+RrSTdCbSw+5l8fZOC/ 85HEIdOWrjkL5r84EmZHfb1sbk0CAPZeX1lnaXSitYenb5Yl90ejSOjGwqV4F+/ZoA 86LspvU1SeDiASQaFaK/gxuVeGVduYcbXriD06iGsMzX6BkathV/hPd2naneT4T85K 87SgjUs9Mby9/gy84uNDDsH3PSBlYJCH+GuVkafiwD9GZc8sr5KJtCIFA/ZCJk0omJ 88Mdod8QaWKwCpiJO4ynnliiBnXKMHABYQBR4B68fz2RduQ94tnGEdbyJbakPQ1viL 897Gr0hkau6Rn/p8qzH7ZG5zI1N6e1TUTwiRsDJK82N/R6hHj2ovf6oDp2oa5/0E1g 90AlzstP4b2BmVnyEivc72smRbPwqN4kyoc6xUQsH7nWmXdw05uHW583et9Aa8R9My 9165ubRnk6TWkwcUycJZMzPI9UJCIPj8vDHw8+6esVR+iaf60YYdzRPIZ7nQjjiQI+ 92BBMBAgAoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCWu+aGwUJBadd8QAK 93CRD9n8ujxTztIMOkD/49LKpwugFKAMtAN8tg5JmOmvFvzUgHKNaI1QLDw/7CB1E8 943+zSTEge9MQme7pBeHbf8wHqRIOEQJuygmYcsXNdDhe2cDbuKKhBRnTiYyzZojSH 957Q/+21N4e0zIsizFCEwDFmIJa3YFGmVH28Cql2AtopW4yv9ZR4D/Fe9DF3um9llg 96rZEOyIysJuj56rGUuRs1779xs+taVV74n3Vt6CY+zE0nbZayzac1G9SmowKeJjnY 97aLoaxthpac4ysBDBfJaIj3ddU1exXiOJJYrOQ43h2iRmcpVRZ6QOtGRIsixLc/Sx 988x2ML4iHtY1V37oFCLa8PZs35Q/Jtbj/CRmM/WpmnCNR3e8rHGwHdJiV6oLChbE2 99BQuhQdxPSDPGJ2Z6CBpycWtCl2cH4INdbvjQyqyhRyWugqUSYkhzVe0q3VA5sJMj 100otHeSSsBV8PeakjV3hQ7idH4DFwExKrJOm2Miif/MKJSOx14lWPeshHOIivwB3M/ 101mt1hVHp512GuNdNNPWx3F3kPZbk2n03WL6rNb5EgA+6py7pEDOZgy9BmzAkTz3cN 1020cySdqESS7oPpWfWDjYYJo4KndKdfmgWCf3y4HbCW01tjgSC4hk8sqmLOEhQ+s1h 103vTB9U9jFtszCyNOrzsDqEDpgu8PFWGdOr+Fg5bQtLvf40dlu8JaFmllDpCALHYkC 104MwQQAQgAHRYhBBM+rBeUNvFKXPG3lIYP64BOZpMgBQJboUJGAAoJEIYP64BOZpMg 1050CMP/iNHXbGqGH0N7+BjwV4HrQxQ5+G4LEVu0EIq0Ut6n5I0ie5sAhOj/AKATLTx 106CpQiAkuNb3VVXmmVgKAV76ClKzIr5/n0j+Iy+Pgjy817swVt56edeBZxv76pduaP 107wUnfDxV0+SQpzBR7WavZ9v5cQFj0YI/vAlCeOSEDbqbZuu01f6WzhBNAk4VBV09q 108T7/HgUCeRF4GpPF+jUMjM5bsH+9Xizf9CKLixw++KvcMiyzMFfruWSLm7m1lyAws 109rItz1HKWvbrs59IRVs59QkmwD6e/LaZ+mycco95RarRvG/sgPEBIhUfdoevgWTIy 110WRgUgY1YWEtOSpDHEnnwG/qPgqakrYUsPD3N42szqisLOxD9qWSGJnQJpcbbeAEO 111byaMN7fVFAZ0AszDvUKiDb3ZEUI/DWl3P2+Rs4a0lXXAeL2itdikunZshvDyuzk+ 112LV0BMNMfz232spxqZTYjUFGM19KA2nRqlmL2RX+vz8066EZpf7V84g2Ai+3jVlUJ 113K/sBcFblwwpXcvpBqumeiWD01GI/DT9yU98Qm41uPk/5J+/NKAXzaOofEAlxPCN0 114R6U4nrTwslELdahh1QGVLUZA2wasLmwpXrs6/7lI3HQ3Y9A2zonsfwVCTHpIYJn0 115wT287lsehVjkqiK/Q/ectsgfy1qK51kYcdqLpcf0we4qIOaQiQIcBBABCgAGBQJb 116p5nLAAoJEKJtbZ/giO1YFSkQAKh84zOXp63A3WhAqpMODwIOc3bHhfgD2emJAwBA 117cvJ0jF6gQeQceWtoW3Fy0ivA/LQCX6cemriyJNOUHXAiilzcXQH/1VuUatD6K6X7 118eCbbilah0EMrUG/PLcvf8KlicazKwUpv9lLAdE5horUaq56QcGzWxL9OQkHJKpTp 119aHo3Y4eEiXiAJr18t6OGuP3sqvPqOe7RuS9gHGyfVRb9cg8k1T9f4WdCNyoyAsbd 120I2I7LtTln2xY/DDU9ynzOkwpxXCrxYmE3zMcPCTe5xITQ3JkprWIGDKFrxomYx4M 1218DF9gtDLzOzA+7gHNbzsJzA2mUpvoA3ajz/GHNZUdh0yIeGmZKQbaA1uONUZTlxx 122dRdoNTXl2AQ8NbD7VThxIj3ib8v4q6NpohPrzYZ+PmtUdd+stFWxkafB44LgjfbR 123WO/JE4zVwrfykDRoMGwL4nCgcssyuCSDdtYaKgIiiUqZNyDakzcMMI6TMT/VfjXk 124vjZYTOtXGsFJQRg9L9AEtVIsOB/IkChPL1AyzdQjK15jlQTo0qw7sr0zysFMyNML 125rr49Sjcv0+cO3MHyT7Fi7gvHLVy6Lh6cvDtjaNUgYfrslimQdqUS7W7piEOKlADY 126eUD8YFxmtHSkqmkdYW/ULYOlkp2nzjlfOG0GGfvibz1opIF9aSZH6on7eox/DS+i 127DjVJiQIzBBABCAAdFiEEDXrynMkm7zNZa1t+hkxNCRC0MNcFAluskTIACgkQhkxN 128CRC0MNfdxw/+KxfOpVzONnv62CBFG+XuzJ0yWNFuVvEJGwcFVKBozlpw5I6SDxtv 129fL+BbRkuXMKI9vrXbvC8QKkOfz2zVTiDPYwXqnq6YeN+Tp5WKfsNWxDXLfTLS8nS 130mPektqH5oWSCCqrGIYjGRBQ2vC4c0vjMHLRmXHMjuB7brC8XMYTIA3DhbN9wG3+F 131dkTTjKIDrMfdn4gGOEmAiYYQuwjnnOAG9WIOfmsIuda5+taIId7mamV3N45rjn+k 132uYJ9p0TsRoOM1gKyrrwFPSY1z354Vq9hcwOoCgNklATlEx+MkNG5jNmeXH0aH4HW 133QqoryrJH+5+KNKKjkBe2vg6JXDDICAF6L/TtYhLxLrfz9G+ZIrU2x7O0xB8XXORY 134X0fskhMqf0HdbJDfmHDWUmsG07FGCG9ppt/DC5QQYjnH+znSfug1/1IN9fo5FIDe 135LgMjaa7CdvmVpdwTqZHuE9EcFqp2WjusmcPWW9npd5vHYpL7WxFzOyqQ1Gtjphmo 136CkoWHKP1NpBZ106QHoUvmyfGQgz1GTfvzpH+YU/9rPbidJOIe3LkHXCFg5Txox5m 137kf+85FFi5myCuxoRFIUu8oP2XMwPtLc1Bnt3bdKJmP+J+WcSmYLDdoBfzROL0M2i 1386YAC4Grd6Jt2d5vMaCzqYFK00gvYQON6543YLGS6tTHPiOo5LIrXi1SJAhwEEAEC 139AAYFAluk8hEACgkQAAI0BZy1BxUScBAAq4EiTtzbO91FN2vOHq1TIxObnw/GA5xt 140Z7y7uKV9ZlrboyJ/L9WUT3JNRWPejhTeXIAz404Zqu0wsf1SJ6G6Dk1fN/xzpkOi 141SoG4TsY3aw2JiuNzqd3GF6DipD5LMyoldlEsJAj2Xq43XnD0ZClT431jkj2EP03X 14237xw/8LyFPdqovoGtr/a4ZVQBcJbuHxJdYZ4orDKSfnwEj4Mb9b29pEza22HKs3d 143thc3aTMTOH9K2a/3X4aN1li7KfFwHgW+L7BFkbd9APpfgAb1VwcZLZnDYrEiIxzj 144iagJqPH1PfGDNGju+K42Mtb/T3f7BnwyTuOhRNfOxIzGofpjYDkl5GhSGk5HSPxg 145hXZvpCEn5pTDpqI/yzbw2j+njiLnTZvjsTMaOccw6i1b0V6K4fMOXDdc0LbE5rBS 14637/izR4DHSRwCP4eVpz1OWkyx3FhjXNVCAW2xRUheOP+REjwFbZGWyiNTl9AtDki 14785BVNdvqVKk2GhxK5MC/0A3k0qowy6FIEJcpwdf1wCbH3VQ0iOGCLI5baHOP7/WZ 148AlyyfZhrGVlN2lqI9t9Rs8VPlig7we/HK0flxAiV/Rx0wvTgWEOXgaoio4DFhMdh 149+Wf3eQU2R20C2BZEvdtzh77HaG+GRTbRYwZpiUsrMsIni8/Zb51HunAVNf0t60Se 150i6Ry+XufyQGJATMEEAEKAB0WIQR0gJCTeNVE6mttzrdTWxKYC7ik0wUCW6HPZAAK 151CRBTWxKYC7ik00sEB/0d7YWDsv1xSr9emZBwVkLaTHhwSrD4hbvYkO3CzQ4td/HS 1520jlraIzI7uZJrA0KXELSMGfa8I7h8khMCl6Es6xeJs46uv/Bk/9ccLqvfwMSGD7r 153uURMYPXaQqba/oYCHXhIlwjDqm/J8lgdJOfxUmml26qG23UO/g6hxSpsMcoNZ+qx 154Vnl1Xp9poGKo2CwPfIGgJcc6wDU26OlWQluuux0ErtYa1o6DdmJikRnYxLxamo0J 155mbL+YWeOC1CZd0M3bIjK2y1nrtnFglAuC5XuZYCGMNDnQO0lJNrQS3OezD7nNXJ7 156xZZso9G8KbK4i4Ube7KHMND3mHLCzaYyyKLItmoNiQIzBBABCAAdFiEEjMl02c/Q 157NNzu0hOwKlfgphDX8ZwFAlug8mcACgkQKlfgphDX8ZwjQg//bfCvWSSq/XSNTdYc 158tSysVaVHICm4BdOkMh6Gtb/1TJ4fE9mHnfza2h3zgQF3ayOk4JC0O/Ybfsm8HFXN 159c7RBh+IQJ1DclXkhH+e1dXyPFuMR5SWR1dL4PMvyHfT2iUe7Ibud+EUDFWFA1CC9 160L/fEWfW3+mCizFI8IgoHObL6U0+4xATICacuTyNFtK90IWNcA/DuPm7x467qY1f7 161PmEfrPhXVrGkqy1kAswZz+pKly3S/FOpeqN+o5B/tA+X25v0R4XUPYsp3LToDJX3 162x6iPq0vrDQFkHG3SXdGBgR/ipy3bObSOguE6iDg12ZxNQbmXB0ggHjurVv6/9Twy 163wN6UDD9iNs0JDXQ4fXbHs5qYChhxzGeU6dNGzqk0PC6j/ubFyb1zWqLTToa0FZuh 164HS1Z2A6amiw7VAXXobjZ34N0lr9qnu/BrOqE7dMnvK/CX6T9mM5bGPf8zKvI8j29 165OTtS9BGq0LDjGkTuquLUzDodvZHeVinJ2IKLAmrrM5dhhDjDRamIpXIcUrG0akhS 166exMP/2XLLNpz4Oa51AWf7nswc39s+Y3mFeO2qYdEDHXRvBESbZid/W7olVFbABnV 167N/NGkDJmCZL3vRojnVBX7vv+7WHICsR50nApov6Yh3VO1XKooVdgpIOremGMlxR6 168xJ6PNW3YuUa8kPCM+EwafBSdF/eJAj4EEwECACgCGwMGCwkIBwMCBhUIAgkKCwQW 169AgMBAh4BAheABQJfAiUnBQkJuej1AAoJEP2fy6PFPO0gN1cP/2jTMkl04rRf0JgD 170IuyUAC5ZDYxjd0qnTtMLE1bJxOdAh5a450PdQWQFjqyRWlfpQlznxrO1O0H/x1/D 1715ZNgLU7FlXYmuGj86NfIIiUxH+MbkjiQ7VUgNt04PRqt4GpWWn9O14Xxz09JSVA4 17219lC8FVt9M2JzUEi/hAte9GsXr0FHo1hDBZeXpGvZi8RbnbkEv+PXHiAWlpPEKeu 173w6h9qej1r3DrYYPOmnYGc5R1MygDQe4Wag3owx3QOTx9pHV4TCaUtLNL04lzDgjB 174cSjQNskzovi8AAnpMjU9Igvly+eD+vZ5019K42UJAkD3QM5u9xt8tkztPn3/GZgM 175NpGrubWph5aEYx0XI/+ywBj52VfVrHf07htS+o+aj1EJDdB1TsXcPK/ecu/pF0z1 176xfEmKYhYdBPHIfymocFW316kOl5kGryuZC2sEDUFveihadC4C80XYPLycIelQ5vt 1773lJp5CbdbZNGSEpW7tiB1sjKDAO1+j6O9mqG9opo35iTGlLkJYNRZQmzIytAvLKg 178YNt9h9+/tzEZxpyLtPddXiVzieCTpf5lf9JWrAHfE9pf+/nHy9TU3KlQ+5JFq9Jp 179ZYtXmnjz4sXsU/SzZc8ZgVfa81ZB9ZPpWeTytgmIvZ8IB0dg9J78VQLsomgNDGXR 180rQNLeK0S9XuwzBEdHW4D1NXGapQRuQINBFcpb6cBEADHIXZN1ns7lR1sG/+WxnMJ 181u5EB38/t16Rd/f+KmNKk+iyHdHxHALERoIP7P0BUhm259szYbMM6VJp7Rm2fUN/7 182BbtTdoCdignuna4bENX3RI9lCTXU3QbXo4JT9EcnoIhwosV1XxBASqAdc5Yosn7R 183uQP/yXKjQz6Auce95NGRPKzgSGkgWRA7mzzRkxCQ5QIL2CmTi4KsXyJWCKLPst3u 184xJpW2vucouRdBQoQ1a1gX76RFKIYaKLrbJ6tVzUYrve2LHCs8Q4mNVy/LrxKNHtv 1859muilTYEyOdXf1R7zHgTH7QW2xoS5Bjt0iaOx6wdSc4xwx4uQMuIHyveT8uagahY 186W7g7xd0tIi3yja1qDdkvU4zp975/Q/Ls+qW2/4CahlukOj8LX/teiLuaFaHlDYqI 187Hv22URBaIQuK+L/f3Ogi+hLbSCWSu4zLYvAWZ2Bl2amfDrC3t46gT9u8uNDhlt9Y 1884H10s5kON4nXVwgRRPllRc2IYqK6i0JHvF9xE5OvnYDPRblV54WQjJmAkmrEl4Up 189kd5SVqVoNf99MzvWrjiId3oZKUb3bfv+tfMCupjr6ELOg9dOQrXHB1qfrrs2q4s4 190ltF3+D5jpqhz09UZW/HEpbdEwvqS0Bb1W7oq5jd/LwL/hhmPVey65k4VfDuZF7gX 191Mf7o5/pgbQgIaeRRWJnjBwARAQABiQIlBBgBAgAPAhsMBQJa75o7BQkFp14PAAoJ 192EP2fy6PFPO0gjQQQAIgM+dTJlwnZBmgSDgnYOKAV8IKc4JWf0jlmQ/7Nkqpyujb4 193oMYDkvLNkKhs0QsiaCowz2IY96RksEUEZRim2L8sXYi17RYxsu6l0Cb54YBpQXZw 194gOUPxIJmT4vdoP0cEf6ryo3G7BQ+XqpKOyORRd22/Oplu5DQLzEJZIu+YEptobBY 195pUFqM8C9hFviCJW0juDDSdrJjiUnP9sqPXfbXpRZ3GbgUatlFeOOFFqS++rRP5fH 196JngxFHqWKd1f4SOP/5ECtb1POGBPT9WT0YLuis6Oqo4yTvk/Oyn3mVNPiSlBkXML 197GDUj3L/1rrADtj7HKPkHssR9cWq0MoUwaucSAvJEvdd0WPqG+7tIcO3SvZpkpIhu 198L55vW1i9Iog+Vy60VsdgbM0QB1TC2OwRomWCYy9OrPbNk9Uk0oOuvrmc3ni7HpcT 199TDm/+ocvtJ35OPwqdA47oxq1lY3dvRrB/6n4XT028PI+Axpga0/4w+oxN9ZESgTk 200S0Jf9fuSKCXNWgcWkegKYr4ExEvJMKbx5O8DYJgQbvtmx7XUL/oUrYbpYWlhYx3x 201/EvlWIE38p3us/0o8cYjh+gsxAtaBPmsW2KDsu205AMSsjUoF8jnY0eaMTvORQcW 202LDc1js0jGKX1KoNRxySa4IwUrN+BSbtIonPw27Uch6NIu9+1CwUkagFOAimUuQIN 203BFcpcKEBEADO3laIO69lLMz5yv+71c8cfr1Xjw99ax6JRw5+S+63/EooZzMQAnVu 20479e9EDqL4w5qudCTnb5DWARnPY9pSbMvuP6vvNJYmLeiGT4R7pzlxw7oNDfoTknI 205XmEOjVSHFg0YFSU0pxv0F35adC5m2YcxEEGOXNNxFZ9m/H8XDA0DsA2hqlxhcKCn 206qQ8/aH6gkAUdXfpW+dXac7h6MazsErsMaPssPAvmlMNglOEvRoCtvI6+PB4rCsJL 207eBaCj3pu+DaJRSyJyTt2TKKoYVxW6SlRIWn4ysii/P7XMjM4fNUJJOvLBwdEDkJj 208eKNiGsz5ahAWrfVQ7aTuvp0h2g3LyY2tYhDeLGY4Tm13eVi58s3oNLcXdgsfMTgE 209udA0OwvEdR5Kfgth0thBZUjsUH5xML8t/FpLmKniUE4VdnkatSSZAe+5xqmkn7V3 210ZJm1XkhUHFdETVc/xgTF7spccPjzMDkrFqGKmoC9n9ZJDX7K4BhIxMHG6SnLbXVd 2114D+9ErRePchem9Q+yo6bBzw8X9nxBeju4pBkpmr3eCF33Atn+bN0ncp2G8BW2h73 212aWuXXqMhkCSko4UB3sviuCL9aXkAaqvk5WRBAhsZhEgO7ZEsTz0NTf6BxZJ+l1B/ 213fNFAL+0awLpDOWsI4Fj4DO/6EXdmwRAmRBsSzv/WvfbJBzRBKZdoZQARAQABiQRE 214BBgBAgAPAhsCBQJa75pVBQkFp10xAinBXSAEGQECAAYFAlcpcKEACgkQ9xwiw9sf 215cidUWxAAqBuhLpGsfE761pLeO3DLEtUKt/YXFNiS62MSOO3hQYduZihq45Lvc6oI 216eFvPGZq3ewHJ/YKI3BeCYJqB3yYWDzd2XQySozMMT1CsJF5AbnQ+VYmICGOQDgVU 217LP1YOt5zuYK1MKCwG2sh/1pOJAbZA7Oj8BOU8hz90r7+F/65HMDku6QZnglpb1WT 218v3+U/TQcuarYdPd/gqUJogwLfvSRhFcSXav/qpcCHvJqO7iuz+8cGIoply87YKz0 219WsipQl8wO5fFpk+T2LIc7vWfs56CIRh4+xI/TJAySwpX7Vm2D1AZtN/myYXrVt2J 220N+GyAzUZXU42kOpkIR5ojagSohxdQcX+C821vk0izHxivqkm+Rue/TqdrnYSyoRQ 221earNG3ErPRnF3GP3m82IsZEGwM3I2ev8hpQ5wtehXv3VGnfpeqonrVecvMsNrFvl 222Zw8OsLKbct3DQug1rIacgb3tXz9oO+VSY8c0vNuaY8gPqyXuoWWht+djgnvueTom 223TbaBCIySnzj2qlCkfrMkWOZG7ONhl+HWSRekIWiYirsWhTxEPgNSebXvBdDYhn5Y 224a2Cu4glJDhO4ptFX59pKDyDltwFXgc9IfZfkVrVMVx6IwhjrXILZvul01LDeyVOw 2258Dcy+epUpJ1012qUb9Capzrq8kXEsb4FdBqOpZ9e3MOWlQONlGgJEP2fy6PFPO0g 226TV4P/RY9pjtEMYCQ4i2qPdDXFpaIFv8f0UlAegN9bF32uSWXHLksuo6J+/40vYDt 227qPzBO1JQUovKb4Xgn9muN+YDT0u7RyItEQSYczEOjf1ygd354bjvefhfarMboupl 2285h1zKR/S9hCQMA6CyyN83ucSPGzuJXaTro5a1IIL8aFJGyRU0wlFmW8csa6w3rtO 229u13jSh+XRSXrcGL4/IpTrSVbvqRVF6ptyiLnOPJ1tf2DMUCz7Z3UFm2sXd29seL2 230Fq3KwEWbLeMlGlRRVbdUJkVtQqhcG3H1pWTcPbO2nWdNEIsV+DovvaaHp7yg12ok 231/8+GY8fwEnfb90+w1Pox5iUlBX47NdYsuX8QEON3fbt2+rTKE2hElIpGOBOjQwF9 232Q3r7/tJ8wHJS4TBFzuNOmgLNG1jVuasYEB5NdXQgrYd0ADnAsGHq+L/5tsoA8B/y 233OWdlXLdRZGdThgIrJLBy0HCes0vf7BU67wXWOpUzTYVMphStomafGnqMkTjhUUAQ 2346KOPGVWBXGhTqNQEWhlHr9Ro+9We0ULbeWt3Ldcnfr9erap8q474jvTW3cbbqAT/ 2357qS44dDnO07gu76L/UntHgRUM5p+AwIcbwduMDGOZxMK0rNlc3GQm7KDdlJGewAr 236HXv4f5B0kS3W42HJYVfByu0jHyyM3Q36LW6hchdGRpKHHlDFiQREBBgBAgAPAhsC 237BQJfAiWrBQkJueiFAinBXSAEGQECAAYFAlcpcKEACgkQ9xwiw9sfcidUWxAAqBuh 238LpGsfE761pLeO3DLEtUKt/YXFNiS62MSOO3hQYduZihq45Lvc6oIeFvPGZq3ewHJ 239/YKI3BeCYJqB3yYWDzd2XQySozMMT1CsJF5AbnQ+VYmICGOQDgVULP1YOt5zuYK1 240MKCwG2sh/1pOJAbZA7Oj8BOU8hz90r7+F/65HMDku6QZnglpb1WTv3+U/TQcuarY 241dPd/gqUJogwLfvSRhFcSXav/qpcCHvJqO7iuz+8cGIoply87YKz0WsipQl8wO5fF 242pk+T2LIc7vWfs56CIRh4+xI/TJAySwpX7Vm2D1AZtN/myYXrVt2JN+GyAzUZXU42 243kOpkIR5ojagSohxdQcX+C821vk0izHxivqkm+Rue/TqdrnYSyoRQearNG3ErPRnF 2443GP3m82IsZEGwM3I2ev8hpQ5wtehXv3VGnfpeqonrVecvMsNrFvlZw8OsLKbct3D 245Qug1rIacgb3tXz9oO+VSY8c0vNuaY8gPqyXuoWWht+djgnvueTomTbaBCIySnzj2 246qlCkfrMkWOZG7ONhl+HWSRekIWiYirsWhTxEPgNSebXvBdDYhn5Ya2Cu4glJDhO4 247ptFX59pKDyDltwFXgc9IfZfkVrVMVx6IwhjrXILZvul01LDeyVOw8Dcy+epUpJ10 24812qUb9Capzrq8kXEsb4FdBqOpZ9e3MOWlQONlGgJEP2fy6PFPO0g6OUP/i7NGgKx 2498BcqGwxLnD/0yWAxFIR4hhqyEFMhu3at1x3RAS+Wbp2VVtVBKXEjHF8FU4uumAtV 250jnDX7znLNRxU3V5V3D0ISxMtvbqhW1mCMyrbc0o2fwd53klT2E8vE9B+VV6XUYzk 251Viqj0YOcQ7mTDbNufPrapdRtT5g/05lC98MBSjzGVv11h9t8dTMcmPBgMMwzdYEJ 252tdHHJzfjmvqApYe6mP3NvCO9j8qukVX3nQjxx/5y2E17CyASwU8iLpB1mjPcTKFZ 253xQVdg61m7ftwptIdasQaY7msqaW9C44ULMdxMq8E25ebMT1W8pGzLjO5xXI6v1o5 254h9hRNJEjPVpODgcBz8V+VZaiyfbF5/Rq/SUhHXLdxLS4ZvdWxoWj3NtbItg42OtG 255qOU8CFh6pZQp3j2bvkQMdTQ587QByTE3cev+1RAjrjGNqIpSyAhDrFICP6Wz4EkX 256OO43P0SZry7u5/lQRSo9w3r0j29MmGSZrVxgG3WRuzXh7e7Ii8uSETjqtmIXu9xO 2579HokXbIcVmqD+eF2hdtx1FpSTvV3iefOn7XVVcyWGQHDfOXtbfyE5McZkX1YZ9gf 258vS/3t/c23hqM2rFNVBs+yKfZIGEa7w+WedspQ4RR9PuTJP1El1aPCVheMIKxJHgz 25924DIbd7BgGqHkwKf6fItseIGXWNWMFtLhObb 260=GEF6 261-----END PGP PUBLIC KEY BLOCK----- 262``` 263 264## Escalation 265 266If there is no response from the authors within 3 days, please escalate your vulnerability report by emailing security@blockstream.com using this PGP key: 267 268 269``` 270-----BEGIN PGP PUBLIC KEY BLOCK----- 271 272mQINBFv/XdQBEAC2iS1uQij2AJSnvQZxScnqf6v0db63QDbS6GjH5PndQ8cF0szv 273YJYCFBigkzj4BkKxbJJlnfPW6Jl3SfzCGDvBW3IYuB3S10InDqJFYcM1ZemWCGAs 274HA48NDfB4AIBIFH09H4dUE/J6yAdhX/+Qa/bjOhiwrCFVE2pVtMN8aTFnaLzxCP+ 275fWZUaPrPv84B7uxEdLM77wIhsN+16FAr1qS42NfKDDolBAs//Bmv5fkNC7lzAVCf 276MA/QEcNlAvButPrNyZU3t25maUv5hhKUDdJ2G/iACf8tVgp+ygmD8NHQMLPSaFqa 277O5wy77Fd5OyX3Gii/E8MtPEsePViwecwJqc/3UXBx7zTRou2gxLikVFTnJb+Jit9 278F2kcljhCjHGxsuhf4Zr6zu+RTHHDgdBmpt4t1HA2jft/40r+uWQjL/rNP+01HgZj 2794OLHkSI5VfJsXRn1EqOGpBIzR56f0GaxA0jluQMfkE9PTMxg5+YbrGgdot3l7pQ3 280+mqMu3aim2EYZZHTsMCRt4j4pRn5g4BZan+w7STfA7rIMJu/MjP3G4s+IFMPVRki 281QLwktZSD+x2M9iIsOD4YVheMKtU6WRroFeCkXzIzLYwCuZ4ym/JFJMH+Keuyo254 2825hcymw+ivmPP+xuuoP1npQioRH4RKpfDgskABv8+t5rteV4BtUIWL33A/wARAQAB 283tDlCbG9ja3N0cmVhbSBTZWN1cml0eSBSZXBvcnRpbmcgPHNlY3VyaXR5QGJsb2Nr 284c3RyZWFtLmNvbT6JAk4EEwEKADgWIQQRdlQtqY5x4TNyLvdKyMyIaESi1gUCW/9d 2851AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBKyMyIaESi1lcQD/9HZmtP 286XhKtwC92zTsT5Xqt/K4ckaiJRaUlHeFtfkHpTdXIUFIJjZ1w1JJAWLtRf58MY45U 2875DAOOYQptoXiy4USZkIMH1uBtFSAvyCUXH5cDWK1347G5rUg6Ry8Cxe+wzXOlxfr 288f/9Vs28z+awfIrvk50sj4QW+mMlS69VwuHUl5CJ+BtcqQWQO85ummQxQq8rMw7rD 289AwkftqiMKz+YLw5/xECyiXDDdQr66kdkglbQGgiciS7HNo0SQ2XqTNcGZkRA3lmv 290HYCchZpgr9qxfnLjgVddJB+iNTwFZ7AQ7ZBlYWvu5UIMweuEz+yB7WGbQZLOsRZ8 291OaIPmZ150VX0sQYeXYhoFrraNW6obFqsSklnQbsfw6KsCaFvYhNZgHf177YlrAzq 292puR53H1sOjOQq8pnbjyf4XLhAGMC65LydWtkQK77m46kOBZad9UGg2WKg/SY+3pF 293WWdP7vlsR7oJyElEQfUwBsT16K/6kenyagQ6CzqnF/X+W7P1STndpBJp4lD0RfaD 294v6UyqxPYhUuQ24jP5jm8+RtS+OGB00czY2cVSDgjYVuU80WsW+Qt0XtLKeoVYdCb 295TaKgreicqbz0Afr9hbPIieW2wbQnYlRPjprTVhhGsxlaUb7Kcz7fapliJrKBFgy5 296odUljZ+iSompuiYtFhVYA8e6sx0pRUGOopnkGLkCDQRb/13UARAA3WAlRv6DofgG 297xu+L2ePZb1OCQTkn4Eq+24veGibPvlqFJivF1ebctUtxiKVsz0dXtWcAYk7Rh2I/ 298xsEGxIzhjr5VLVOdldM5AgJna6WPvOA4sPXjdy47R71NfEQfg9Svv93mmkpbJsL3 299NuHxvpoeO4A9JrFfwn7WJevXOiUWdKJ+nn0ZPwjYle6i27OfIojyVmZVQEiHC/Il 300LxQEYaNDalAorjnn0b7X7S3Z8pMAb8HqD0RTXXed9LPgbasARyND2I2xy1txUDPI 301Qcq6tIbryGYlegEHuvsE31zRPoNjnXkwABb6qBkUUiZMbRJCYOQXSo7Z2tasKHIJ 302I/FnIj8dmT/IXDb9KiWr8wziGLdgnZx3QZGt5P0LIMFKrfXMNJO7EmO1QMbgZFgk 303JPhJ0o61PvMaVLMQVoxD6K7bKOzI2t4LTA0l5RxuMcadu8G13YzgVXX44Cac1qUn 304xriMzk62HXdSeZozcO/IRN7Kdw2bB++5EVYTQN1EEhIymXVUrBg2pXvLSXalg+kp 3050BhLVHcbTI51mKz8GY9NUShFI7ZEzxzzltcEA+F5TLrPMgT+tx+QvjDdGWIhWycI 306KW53hjKiGolhpG9Kqo9ogtCO2a3r6JspO0z+54/EF5rS2LI13pqk0qNgoYMYqChe 307XU8BJdZ9siCooQ+3o+Y/9TkQWSAwnWkAEQEAAYkCNgQYAQoAIBYhBBF2VC2pjnHh 308M3Iu90rIzIhoRKLWBQJb/13UAhsMAAoJEErIzIhoRKLWGhoP/jFfwRrda1RNR6OY 309NHOIa4x4PtjDuYwDYgI5X2NQXlglyOTWouKjY1eu7LRoQSS5blD7BA9GHhYRDBL/ 3100NQo/EQn3JFoitGWs07Bry0A4DTOz0H7wRqVXtN+Ck13QdEemq+suLE+PcbRJ4Ei 311ANoNVgSRGqYO683oXEzGgzF+FXXPbcRTNHwvV8LgmUioe2cgHX3Q2PC3gUTmnNkq 312IhWirlT5cQVSLS2IzsP903uq8VtHl7lXLkS6Ba3CmwLoHYfhurGQNR6Av2WPgL2D 313oY8NOxPdz9QxBUzUVObiMm3UfD/eTF73NAmNJRDqYzpY/l54ZyxLFjlfXRpwKrx/ 314islwezx+2fzns5u4xwdywVHzvgsmbXMIDdNTaTS8BDaKbAopLmbmuTnnTbJXWFbb 315mQ2/GHcB0mKuXDkzt+7JMQ0NHtrGC3qvEtnTXZGXr3uIhFDkJSOoaH68dqq5++pz 316GtT+aiv3L120r0pSSyTgbPsrqSlWgXEuJ4uzt3j69J0Qek0YrL0EDxHdnGPW4+fv 317AZiq1RFG8MHOy0Obahed5uqlzXCNtroHdgSQeR+6IkODSsEd+hVdXJs/hjcWLNG5 318VNztar/H4BSwlhKbgvFivOzhj8x5TNoqMM95G8Ew/5idiT/YQgsA6lcwsEZ78t9O 319lTHPj4G8vH5F/zIFb+uQNSlKzuH+ 320=8mAH 321-----END PGP PUBLIC KEY BLOCK----- 322``` 323 324## Acknowledgement 325 326Your help in maintaining and improving the security of this software is deeply appreciated. When the vulnerability you have reported is patched here and in downstream dependencies, we will publicly disclose it. Let us know if you would like to remain anonymous or would like to be acknowledged. We would be happy to acknowledge your contributions to closing the vulnerability you found in the release notes, source code and/or documentation in this repository. 327