How the Soroban Security Portal is Evolving

The concept of decentralization has its use cases, especially in finance. In Web3, it offers immense benefits like fostering innovation, resilience, and privacy. But when everything is completely decentralized, it can make things overly complicated and difficult when people can’t find important information or data.

As a dev tooling focused company, we at Inferara were surprised that information around audit reports and individual vulnerabilities of Stellar projects was rather scattered and oftentimes incomplete. Sure, the audit reports exist, but they are often a hassle to find, especially when there are more and more projects and auditors each year. Another pain point is that often reports are only in PDF format, sometimes without text that can be copied for use elsewhere. As we delved deeper into the ecosystem regarding smart contract security, we discovered that finding critical reports and vulnerability data was far more difficult than it should be.

There simply wasn’t a centralized, easily searchable knowledge base for Soroban vulnerabilities and development best practices. If our team, with a development and blockchain background, struggled to find answers, we realized that developers and projects new to Stellar must face even greater hurdles. For the Soroban ecosystem to truly flourish and attract widespread adoption, easy access to this vital information is essential. It shouldn't take an experienced developer several hours just to maybe find the tools they need to start their project or check for a similar bug.

Just as how LumenLoop is making news and happenings on Stellar easier to keep track of through their system, we built the Soroban Security Portal (which might soon become the Stellar Security Portal) to make it easier for users, developers, and auditors to access and learn from reports and vulnerabilities. Instead of just being a static list of contracts or links to PDFs, it is curated information, semantic search features, and is maintained frequently as new audits are performed.

The start of the Portal

As we mentioned the project idea started when we noticed that it was harder than it should have been to find vulnerability reports and data about Stellar projects. Within the discord a new category was made at the time called #idea-bank (check it out and share your thoughts!) where we proposed the concept of the Security Portal. After some discussions there seemed to be support from the Stellar community which lead us to apply for SCF (Stellar Community Fund) #36. Thanks to the community support it was a successful application and you can see our presentation during the SCF Demo Day.

As you can see in the original submission, it was originally going to be called the Soroban Security Catalogue, we realized with the different spellings of catalogue vs catalog it would leave room for spoofing or phishing attack vectors. That’s why we went with the Soroban Security Portal instead. We are once again going to rebrand to the Stellar Security Portal as per request to increase Stellar branding.

Even though the final milestone was completed in September (2025), we continued to improve it with new features, bug fixes, reports and individual vulnerability logging. We are still actively maintaining the Portal and have plans to implement more social features, as well as making it easier for individuals to contribute to it. It takes a village, or in this case a network to raise a child project!

Original pain points and attention to detail

We are grateful for receiving the initial SCF grant and the recent Public Goods award. These and the community support has been very helpful, but there are ongoing challenges that require improvement to existing methods and systems. Maintaining the portal comes with a unique set of challenges that most users don’t see.

Originally one of the main issues was simply sourcing the audit reports and mapping their outcomes to github repos and protocols. When starting from 0 reports/audits it took a lot of manual time to search, index and keep track of reports. Reports are frequently scattered across personal GitHub repositories, independent team websites, or buried deep within Discord chat histories. To make matters more complicated, many of these documents are delivered as locked PDFs. Trying to extract code snippets, parse the actual vulnerability parameters, and prepare a clean markdown format for the portal requires significant manual curation.

Then once we actually tracked down reports the next pain points began to be clear. There is a lack of formatting consistency between different auditing firms. Every auditor has their own methodology, taxonomy, and reporting style.

Then there are also different versions of reports as updates are made by auditors or protocols, different auditing companies have very different formatting, and information can be difficult to access directly (dead links, private repos etc.). This can cause some difficulties when breaking down audit reports into individual vulnerabilities.

An example of hard to access information is when artifacts that are referenced simply as “see the contract code at [this link]” which would often lead to:

Navigating these reports and manually mapping links, resources and other information is time consuming but very much worth it in our opinion. We try to avoid sending users to inaccessible links as often as possible, if it can’t be avoided we add manual notes to inform them.

The individual vulnerabilities we log in the portal are a bit more than just plain text or copies of the original reports though! We make sure to preserve the original text, and when possible we add more hyperlinks and additional context notes! The reason we do this is quite straightforward. We want developers, both new and experienced, to be able to have access to as much information as possible. It takes additional time but, if we can directly link people to the code being referenced on a public github repository, why wouldn’t we?

Another detail that might be missed by visitors is our commitment to readability. We ensure that any code mentioned in these reports is properly placed in clean code blocks, syntax highlighted, and manually verified line by line. This level of care is exactly what is needed for the proper maintenance and logging of security reports. Turning a chaotic mix of scattered data into structured insights is where our team spends the majority of our maintenance energy, and we do it to make it actually useful for people to use.

Making Portal Contributions more accessible

We have had some help with some of our open issues on Github thanks to the frequent Drips Stellar waves from community contributors. They have started an initiative to make projects on Stellar easier to contribute to. Because we also believe a public good should be shaped by the actual users, we believe we need to make it more accessible to people.

Up until recently, adding reports, logging vulnerabilities, or making edits was highly gatekept. To protect the absolute integrity of the security data, access was limited to portal maintainers and Pilots (those with the Pilot role in the Stellar Developers Discord).

Initially this was done to make sure submissions were of a high quality, since only Pilots could participate. We have realized that it also created an unintentional bottleneck. If a user noticed a dead link, a project maintainer wanted to upload their recent Audit report or a developer wanted to add a note about a vulnerability, they had to jump through unnecessary administrative hoops.

To solve this, we have officially updated our permissioning system and opened the gates to a wider circle of trusted builders. Contribution access is now live for anyone holding the Navigator role or the SCF Projects role on the Stellar Developers Discord.

If you already have the Navigator or SCF Project role, you now have the direct power to log vulnerabilities, add reports, and update existing documentation. Check the role system here to get started.

We invite you to jump in, explore the tools, and help us keep this project growing.

• Explore the Portal: sorobansecurity.com
• Contribute on GitHub: Inferara/soroban-security-portal
• Join the Conversation: Join the Stellar Developers Discord and drop your feedback in our dedicated project channel!

I

Written byInferera