| Version | Supported |
|---|---|
| Latest | Yes |
Do not open public GitHub issues for security vulnerabilities.
Report vulnerabilities through GitHub Security Advisories.
Contact the maintainers directly through GitHub with a detailed description of the vulnerability.
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Resolution target: Within 90 days
We follow a 90-day responsible disclosure timeline. We ask that you:
- Report the vulnerability privately
- Allow reasonable time for a fix before public disclosure
- Do not exploit the vulnerability beyond what is necessary to demonstrate it
Security issues in the following areas are in scope:
- Cryptographic implementation (ChaCha20, Poly1305, AEAD)
- Wire protocol vulnerabilities
- Key handling and memory safety
- Buffer overflows or memory corruption
- Authentication bypass
- Social engineering
- Denial of service (unless caused by a specific code flaw)
- Issues in third-party dependencies (we have none)
This tool is designed for authorized security testing only. Unauthorized use against systems you do not own or have explicit permission to test is illegal and unethical.