| Version | Supported |
|---|---|
| 1.x | ✅ Yes |
Do NOT open a public GitHub issue for security vulnerabilities.
Please report security issues via one of these channels:
- Email: security@cenv.dev (PGP key available at keybase.io/cenv)
- GitHub Security Advisory: Use the "Report a vulnerability" button on the Security tab
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (optional)
| Action | Timeline |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix + coordinated disclosure | Within 90 days |
cenv's security relies on:
- AES-256-GCM — assumed computationally secure against chosen-plaintext and chosen-ciphertext attacks
- PBKDF2-HMAC-SHA256 (600k iterations) — brute-force resistant per OWASP 2024
- Master key secrecy — if
CENV_MASTER_KEYis compromised, all.cenvfiles encrypted with it are compromised - Nonce uniqueness — nonce is 12 random bytes, re-encryption generates a new nonce
In scope:
- Cryptographic weaknesses in the
.cenvformat - Key derivation vulnerabilities
- Parser bugs that leak plaintext
- Side-channel attacks in implementations
Out of scope:
- The security of the master key storage mechanism (that's the user's responsibility)
- Attacks requiring physical access to a decrypted machine