Security
SNCheck exists to make running subnet code safer. That trust starts with how we handle your data and how we handle vulnerabilities.
Never send private keys, seed phrases, hotkeys, coldkeys, or wallet files to SNCheck.
SNCheck performs static analysis of repository source code only. It does not need — and should never be given — wallet material of any kind.
No wallet or key collection
The CLI reads repository files locally. It does not collect, upload, or transmit wallets, keys, or credentials.
Defensive security purpose
SNCheck is built for defenders — miners, subnet owners, and researchers — to review code before it runs. It is not an offensive or exploitation tool.
Evidence-first, not accusatory
Findings point to a file, line, and the matched evidence. SNCheck uses neutral wording and avoids labeling repos or owners.
Open-source and auditable
The scanner is Apache-2.0 licensed. Anyone can read exactly what it checks and how.
Responsible disclosure
If you find a serious vulnerability — in SNCheck itself, or in a subnet repository that could put miners at risk — report it privately first so it can be addressed before public discussion.
- 1Report privately. Email security@sncheck.xyz with details and reproduction steps.
- 2Give time to respond. Allow maintainers a reasonable window to investigate and remediate before disclosing publicly.
- 3Avoid live exploit details. Do not publish working exploits for active subnet repositories before maintainers have had a chance to respond.
What not to publish publicly
When discussing findings, avoid posting anything that helps an attacker before maintainers can respond: working exploit code, extracted secrets, or step-by-step weaponization for an active subnet repository. Share the risk, not the weapon.