Skip to content

Security: wickra-lib/wickra-proof

Security

SECURITY.md

Security Policy

wickra-proof is verification software: it recomputes a deterministic backtest report and a canonical hash from a (spec, data) pair and compares it against a claimed report. It places no orders, holds no secret material, and opens no authenticated connections. The attack surface is therefore narrow — principally the parsing of untrusted ProofSpec / candle data and claimed-proof JSON as it crosses the C ABI and WASM boundary. See THREAT_MODEL.md for the asset and trust-boundary breakdown.

Supported versions

Until the first stable release, only the latest 0.x minor line receives security fixes.

Version Supported
latest 0.x
older

Reporting a vulnerability

Please report suspected vulnerabilities privately via GitHub's security advisories form rather than a public issue. We aim to acknowledge within 72 hours.

Because the entire product value is determinism, a report that a given (spec, data) yields a different report_hash across two languages or two runs is treated as a security-class defect: it breaks the verifiability guarantee. Please include the spec, the data, and both hashes.

Scope

In scope: memory-safety or panic issues reachable by parsing untrusted input at the FFI/WASM boundary; any cross-language or cross-run divergence of report_hash for identical input; canonicalization ambiguities.

Out of scope: the correctness of a strategy's economics; third-party registries; denial of service from pathologically large inputs supplied by the caller.

There aren't any published security advisories