summaryrefslogtreecommitdiffstats
path: root/SECURITY.md
diff options
context:
space:
mode:
Diffstat (limited to 'SECURITY.md')
-rw-r--r--SECURITY.md93
1 files changed, 93 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..fedabad
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,93 @@
+# Security Policy
+
+## Supported Versions
+
+Currently, Veilith is in active development (version 0.9). Security updates are applied to the latest version only.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 0.9.x | :white_check_mark: |
+| < 0.9 | :x: |
+
+## Reporting a Vulnerability
+
+**DO NOT** open public GitHub issues for security vulnerabilities.
+
+If you discover a security vulnerability in Veilith, please report it responsibly:
+
+### Preferred Method: Encrypted Email
+
+1. Use PGP/GPG encryption for sensitive reports
+2. Send to: [Create a secure contact method]
+3. Include:
+ - Description of the vulnerability
+ - Steps to reproduce
+ - Potential impact
+ - Suggested fix (if available)
+
+### Response Timeline
+
+- **Initial Response**: Within 48 hours
+- **Vulnerability Assessment**: Within 7 days
+- **Fix Timeline**: Depends on severity
+ - Critical: 1-7 days
+ - High: 7-14 days
+ - Medium: 14-30 days
+ - Low: Next scheduled release
+
+## Security Features
+
+Veilith implements multiple layers of defense:
+
+- **End-to-End Encryption**: Noise Protocol (XX pattern)
+- **Forward Secrecy**: Automatic session key rotation
+- **Anti-Traffic Analysis**: Padding + cover traffic
+- **Secure Deletion**: DOD 5220.22-M wiping
+- **Transport Security**: Tor + Bridge support
+- **Zero Metadata**: No persistent logs
+
+## Out of Scope
+
+The following are considered **out of scope** for security reports:
+
+- Social engineering attacks
+- Physical access attacks
+- DoS/DDoS attacks
+- Issues in third-party dependencies (report upstream)
+- Theoretical attacks without practical exploit
+
+## Disclosure Policy
+
+- Security researchers will be credited (with permission)
+- Public disclosure after fix is released
+- CVE will be requested for critical vulnerabilities
+- Security advisory published on GitHub
+
+## Security Best Practices
+
+Users should:
+
+1. Keep Veilith updated to the latest version
+2. Verify binary signatures before installation
+3. Use portable mode on untrusted systems
+4. Enable emergency wipe if at risk
+5. Verify contact fingerprints out-of-band
+6. Use Tor bridges in hostile environments
+
+## Cryptographic Implementation
+
+Veilith uses well-audited cryptographic libraries:
+
+- **Noise Protocol**: `flynn/noise` (Go implementation)
+- **Tor**: Embedded Tor with authenticated bridges
+- **RNG**: System cryptographic RNG (`crypto/rand`)
+
+We **never** implement custom cryptography.
+
+## Bug Bounty
+
+Currently, Veilith does not offer a paid bug bounty program. However, we deeply appreciate responsible disclosure and will publicly credit researchers (with permission).
+
+---
+
+**Last Updated**: 2026-04-10