| Version | Supported |
|---|---|
| 1.x | Yes |
| < 1.0 | No |
If you discover a security vulnerability in Tracehound, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
- Email: me@erdem.work
- Include:
- Description of the vulnerability
- Steps to reproduce
- Affected version(s)
- Impact assessment (if possible)
- Suggested fix (if any)
| Stage | SLA |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Fix development | 30 days (critical), 90 days (others) |
| Public disclosure | After fix is released |
- We acknowledge your report within 48 hours
- We investigate and assess severity
- We develop and test a fix
- We release the fix and publish a security advisory
- We credit you in the advisory (unless you prefer anonymity)
@tracehound/core— all modules@tracehound/express— middleware adapter@tracehound/fastify— plugin adapter@tracehound/cli— CLI tool- Binary envelope format (THCS)
- Cryptographic operations (hashing, integrity verification)
- Process isolation (Hound sandboxing)
- Memory-bound guarantees (quarantine, rate limiter)
- Third-party dependencies (report to their maintainers)
- Denial of service via resource exhaustion against the host application
- Issues in draft/unreleased code on non-main branches
- Social engineering attacks
Tracehound's security architecture is documented in:
- RFC-0000: Core Architecture — Threat model and invariants
- Fail-Open Specification — Failure mode guarantees
- Evidence Lifecycle Policy — Data handling
- Cold Storage Security — Storage integrity
- Security Audit Roadmap — Audit plan and recommendations
These properties are guaranteed and any violation is a security bug:
- Decision-Free: Tracehound never makes threat detection decisions
- Payload-Less: Raw payloads never escape the quarantine boundary
- Fail-Open: Tracehound failures never block host application traffic
- Deterministic: No ML or heuristics in the hot path
- Constant-Time: All hash/signature comparisons use
crypto.timingSafeEqual - Memory-Bounded: Every buffer, map, and collection has an explicit upper limit
- GC-Independent: Security-critical cleanup is explicit, not garbage-collected