Skip to content

Security: genlayerlabs/genvm-executor

Security

SECURITY.md

Security Policy

GenVM is consensus-critical: the executor runs Intelligent Contracts and its output must be identical and trustworthy across all validators. Please treat security issues accordingly.

This repository is a component of genvm-manager; the canonical security policy lives there.

Reporting a vulnerability

Do not open a public issue. Report privately via GitHub's private vulnerability reporting, or email kira@yeager.ai

Include a description, affected component/version, and a reproduction (a contract, calldata, or test case) where possible. We aim to acknowledge within a few business days.

Severity priorities

Issues are triaged by impact, highest first:

  1. Remote code execution — escaping the WASM/VM sandbox, or running attacker code in a validator or the build pipeline.
  2. Determinism violation / financial issues — anything that makes honest validators diverge or accept invalid results (non-canonical encoding, version-gate bypass, untrusted caches, balance/fee accounting).
  3. Undefined behavior — out-of-bounds reads/writes, type confusion, and other UB at the native (Rust unsafe, C extension) boundary, even without a known exploit yet.
  4. Crash / internal error — contract-triggerable panics, aborts, or unhandled errors that should instead be a canonical VMError (availability impact).
  5. Miscellaneous — secret/credential leakage in logs, info disclosure, resource exhaustion with bounded impact, and hardening gaps.

There aren't any published security advisories