Skip to content

SECURITY.md

Latest commit

 

History

History
82 lines (50 loc) · 3.52 KB

SECURITY.md

File metadata and controls

82 lines (50 loc) · 3.52 KB

Security Policy

Supply chain

  • Rust: Cargo.lock is committed for reproducible builds. Run cargo audit and cargo deny locally; CI runs them in ci-rust.yml, with a scheduled pass in ci-security.yml.
  • SBOM: The ci-sbom.yml workflow (Anchore SBOM Action, CycloneDX JSON artifact) runs on pushes to main and can be triggered manually.

Supported versions

Security fixes are aimed at current main and recent release tags. Older lines may not receive backports; ask maintainers if you depend on a specific tag.

Reporting a vulnerability

We take security issues seriously.

Do not file a public GitHub issue for undisclosed vulnerabilities

How to report privately

  1. Email security@security-envelopes.org (if that address is not yet active for your fork, use the repository’s private security advisory flow on GitHub if available).
  2. Include:
    • Short description and impact
    • Steps to reproduce
    • Affected component(s) and versions
    • Optional patch or mitigation ideas
    • Contact for follow-up

What we will do

  • Acknowledge receipt as soon as practical
  • Work toward a fix and coordinated disclosure timeline with you
  • Credit you in release notes if you want

Exact response times depend on severity and maintainer availability; critical issues are prioritized.

Security measures (current direction)

Formal methods

Core behavior is modeled in Lean 4 under Spec/. Proofs and coverage grow over time; treat the formal layer as an evolving guarantee, not a blanket “everything is proven” claim.

Automation

  • Static analysis: Clippy with warnings denied; CodeQL for Rust (codeql.yml).
  • Dependencies: cargo audit, cargo deny in CI.
  • SBOM: See supply chain section above.

Cryptography and protocols

The engine and specs aim to use standard algorithms (for example Ed25519, SHA-256, AES-GCM) where applicable. Exact algorithms and wire formats are defined in code and specs; verify against your deployment before relying on compliance claims.

Code quality

Rust code should minimize unsafe and follow review for any new unsafe blocks. Validate untrusted inputs at trust boundaries (policy loading, WASM, network-facing paths).

Security best practices

Contributors

  1. Never commit secrets, tokens, or production keys.
  2. Prefer least privilege in examples and tests.
  3. Keep dependencies intentional; run audit/deny when changing lockfiles.

Users and operators

  1. Pin versions and verify artifacts (hashes, signatures) for your environment.
  2. Apply updates from trusted sources.
  3. Harden runtime (TLS, keys, access control) for your threat model.

Vulnerability handling

  • Triage: Reports are assessed for severity and exploitability.
  • Fixes: Land on main and are described in release notes; use tagged releases for production tracking.
  • Disclosure: Prefer coordinated disclosure with the reporter.

Compliance and standards

This repository is a software project, not a certified compliance program. If you need SOC 2, ISO 27001, GDPR, HIPAA, PCI, or similar assurances, you must map controls to your deployment, processes, and legal obligations. Do not infer certifications from this document alone.

Acknowledgments

Thanks to everyone who reports issues responsibly. Researchers who disclose in good faith can be credited in release notes or a security acknowledgments section, by agreement.