Christian Nennemann
a9d1f535aa
- Add split licensing: AGPL-3.0 for server, Apache-2.0/MIT for all other crates and SDKs (Signal-style) - Add SECURITY.md with vulnerability disclosure policy - Add CONTRIBUTING.md with build, test, and code standards - Add "not audited" security disclaimer to README - Add workspace package metadata (license, repository, keywords) - Move internal planning docs to docs/internal/ (gitignored)
30 lines
986 B
Markdown
30 lines
986 B
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
Only the current `main` branch is supported with security updates.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do not use public GitHub issues to report security vulnerabilities.**
|
|
|
|
Instead, email **security@quicproquo.org** with:
|
|
|
|
- A description of the vulnerability
|
|
- Steps to reproduce or a proof of concept
|
|
- The affected component(s) and potential impact
|
|
|
|
We will acknowledge your report within **48 hours** and work with you on a fix under a **90-day coordinated disclosure** timeline.
|
|
|
|
## What Qualifies
|
|
|
|
- Cryptographic implementation bugs (MLS, Noise, hybrid KEM, key derivation)
|
|
- Authentication or authorization bypass
|
|
- Key material leakage (memory, logs, network)
|
|
- Protocol-level flaws (replay, downgrade, impersonation)
|
|
- Any issue that compromises message confidentiality or integrity
|
|
|
|
## Credit
|
|
|
|
Reporters are credited in published security advisories unless they prefer to remain anonymous. Let us know your preference when you report.
|