| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues by emailing the maintainers directly at meatsquirk@gmail.com. Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and determine severity
- Fix Timeline: Critical issues will be addressed within 7 days; others within 30 days
- Disclosure: We will coordinate disclosure timing with you
This library implements several security measures:
- All filesystem paths are validated against directory traversal attacks
- Collection IDs and CIDs are sanitized before use
- Message sizes are bounded to prevent memory exhaustion
- Ed25519 signatures use canonical CBOR encoding
- CID verification ensures content integrity
- No custom cryptographic implementations - uses audited libraries
- Configurable rate limiters for API endpoints
- Protection against denial of service
- All parsing code is fuzz tested
- Targets include: message parsing, manifest parsing, framing, signatures
When using this library:
- Keep Dependencies Updated: Regularly update to get security fixes
- Validate External Input: Always validate data from untrusted sources
- Use Rate Limiting: Enable rate limiting for public endpoints
- Monitor Logs: Watch for suspicious patterns
- Secure Storage: Protect the data directory with appropriate permissions
- Bootstrap Nodes: Verify bootstrap node authenticity in production deployments.
- Private Keys: Store Ed25519 private keys securely; never commit to version control.
This library has not yet undergone a formal security audit. We welcome security researchers to review the code and report findings.
We thank the following individuals for responsible disclosure:
- (Your name could be here!)