WLD Wallet
Security

Security policy and release verification.

A clear place for vulnerability reports, supported versions, checksum verification, and safe installation habits.

Verify checksums Security policy

Security policy

Report privately, protect users first.

If you find a vulnerability that could affect funds, private keys, transaction signing, update delivery, or release integrity, report it privately through the official repository security advisory flow before publishing details.

Scope

In scope

Key storage, seed import, hardware-wallet signing, transaction construction, RPC handling, update checks, checksum manifests, and desktop packaging.

Disclosure

Coordinated timeline

Include reproduction steps, affected versions, expected impact, logs with secrets removed, and suggested fixes. Public disclosure should wait until users have a patched release path.

Out of scope

Non-wallet issues

Spam, social engineering, unrelated World services, exchange availability, token price movement, or issues caused by modified third-party builds are outside this policy.

Verify checksums

Confirm the binary before opening it.

Every release should publish SHA-256 hashes for macOS, Windows, and Linux artifacts. The downloaded file hash must match the signed release manifest exactly.

macOS

SHA-256 and signature

Run shasum against the disk image or archive, then verify the app signature before first launch.

shasum -a 256 WLD-Wallet.dmg codesign --verify --deep --strict WLD\ Wallet.app

Windows

Hash and publisher

Compare the installer digest and check that the publisher signature matches the expected release identity.

Get-FileHash .\WLD-Wallet-Setup.exe -Algorithm SHA256 Get-AuthenticodeSignature .\WLD-Wallet-Setup.exe

Linux

Digest before chmod

Verify the AppImage or archive hash before making it executable or moving it into your app directory.

sha256sum WLD-Wallet.AppImage chmod +x WLD-Wallet.AppImage

If a checksum, signature, filename, or download source does not match the release notes, delete the file and download again from the official release page.

Verify before importing keys.

Install only verified builds. Check the release source, digest, and publisher signature before importing a seed phrase or connecting hardware wallets.

Keep signing explicit.

Review chain, recipient, token contract, amount, gas estimate, and nonce before approving. Reject any prompt that appears after visiting an unrelated site or opening an unknown file.

Treat backups as live funds.

Store recovery phrases offline. Do not photograph, cloud-sync, email, paste, or send them to anyone claiming to provide support.