| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly.
- Preferred: Open a security advisory on the repository
- Alternative: Email security concerns to the maintainers listed in MAINTAINERS.md
- Do NOT: Open public issues for security vulnerabilities
- Acknowledgement: Within 24 hours
- Initial Assessment: Within 72 hours
- Fix Timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: 90 days
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if available)
- Your contact information
This project implements the following security practices:
- Written in Rust with compile-time type checking
- No unsafe code blocks without explicit justification
- Memory safety guaranteed by ownership model
- SHAKE256 (d=256) for file checksums
- FIPS 202 compliant implementation
- No custom cryptography
- SPDX headers on all source files
- Pinned dependencies (no floating versions)
- Regular dependency audits via
cargo audit - SBOM generation available
- Chainguard Wolfi base images (minimal attack surface)
- Non-root container execution
- No privileged operations required
- Podman (rootless) preferred over Docker
Not applicable - this is a CLI tool.
We follow coordinated disclosure:
- Reporter submits vulnerability
- We acknowledge within 24 hours
- We assess and develop fix
- Reporter is credited (unless anonymity requested)
- Public disclosure after fix is released
| Date | Auditor | Scope | Findings |
|---|---|---|---|
| 2024-01-01 | Self-audit | Full codebase | N/A |
Security researchers who have responsibly disclosed vulnerabilities:
- (None yet - be the first!)