If you think you have discovered a security issue in any of the Linux Foundation Decentralized Trust (LF Decentralized Trust) projects, we'd love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer.
Besu accepts security bugs at two email addresses:
- security-besu@lists.hyperledger.org is limited to a subset of Besu maintainers and LF Decentralized Trust staff. For highly sensitive bugs, this is the preferred address.
- security@hyperledger.org is limited to a subset of maintainers and staff of all LF Decentralized Trust projects, and may be viewed by maintainers outside of Besu.
When sending information to either of these emails, please include a description of the flaw and any related information (for example, reproduction steps, version, and known active use).
The process by which the LF Decentralized Trust Security Team handles security bugs is documented further in our Defect Response page on our wiki.