Christian Nennemann
a9d1f535aa
- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all other crates and SDKs (Signal-style) - Add SECURITY.md with vulnerability disclosure policy - Add CONTRIBUTING.md with build, test, and code standards - Add "not audited" security disclaimer to README - Add workspace package metadata (license, repository, keywords) - Move internal planning docs to docs/internal/ (gitignored)
986 B
986 B
Security Policy
Supported Versions
Only the current main branch is supported with security updates.
Reporting a Vulnerability
Do not use public GitHub issues to report security vulnerabilities.
Instead, email security@quicproquo.org with:
- A description of the vulnerability
- Steps to reproduce or a proof of concept
- The affected component(s) and potential impact
We will acknowledge your report within 48 hours and work with you on a fix under a 90-day coordinated disclosure timeline.
What Qualifies
- Cryptographic implementation bugs (MLS, Noise, hybrid KEM, key derivation)
- Authentication or authorization bypass
- Key material leakage (memory, logs, network)
- Protocol-level flaws (replay, downgrade, impersonation)
- Any issue that compromises message confidentiality or integrity
Credit
Reporters are credited in published security advisories unless they prefer to remain anonymous. Let us know your preference when you report.