30 lines
987 B
Markdown
30 lines
987 B
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Only the current `main` branch is supported with security updates.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do not use public GitHub issues to report security vulnerabilities.**
|
|
|
|
Instead, email **security@quicprochat.org** with:
|
|
|
|
- A description of the vulnerability
|
|
- Steps to reproduce or a proof of concept
|
|
- The affected component(s) and potential impact
|
|
|
|
We will acknowledge your report within **48 hours** and work with you on a fix under a **90-day coordinated disclosure** timeline.
|
|
|
|
## What Qualifies
|
|
|
|
- Cryptographic implementation bugs (MLS, Noise, hybrid KEM, key derivation)
|
|
- Authentication or authorization bypass
|
|
- Key material leakage (memory, logs, network)
|
|
- Protocol-level flaws (replay, downgrade, impersonation)
|
|
- Any issue that compromises message confidentiality or integrity
|
|
|
|
## Credit
|
|
|
|
Reporters are credited in published security advisories unless they prefer to remain anonymous. Let us know your preference when you report.
|