- it is recommended to follow the list of known vulnerabilities and stay up-to-date with the latest releases
- as of May 2024, the
0.4.0
release is the most secure and the most comprehensively reviewed one and is recommended for use in production environments
- as of May 2024, the
- if a compiler vulnerability is found, a new compiler version with a patch will be released. The vulnerable version itself is not updated (see the examples below).
example1
: suppose0.4.0
is the latest version and a hypothetical vulnerability is found in0.4.0
, then a patch will be released in0.4.1
example2
: suppose0.4.0
is the latest version and a hypothetical vulnerability is found both in0.3.10
and0.4.0
, then a patch will be released only in0.4.1
- Vyper conducts recurring security audits with multiple firms. Additionally, a competitive audit with CodeHawks was conducted during the fall of 2023.
- all Vyper audits can be found in a separate repository: vyperlang/audits
-
The link below lists all publicly disclosed vulnerabilities and exposures. Best Practices dictate that when we are first made aware of a potential vulnerability, we take precautions by assessing its potential impact on deployed projects. When we are confident that disclosure will not impact known projects that use Vyper, we will add an entry to the list of security advisories for posterity and reference by others.
- list of publicly known vulnerabilities: https://github.com/vyperlang/vyper/security/advisories
- as of May 2024, Vyper does not have a bug bounty program. It is planned to instantiate one soon.
-
If you think you have found a security vulnerability caused by the compiler with a project that has used Vyper, please report the vulnerability to the relevant project's security disclosure program before reporting to us. Additionally, please privately disclose the compiler vulnerability at https://github.com/vyperlang/vyper/security/advisories.
-
Please Do Not Log An Issue mentioning the vulnerability.