From 88375da30ea667ec25c2000874557fcc4785a558 Mon Sep 17 00:00:00 2001 From: gabrix73 Date: Fri, 10 Apr 2026 16:10:48 +0200 Subject: Initial commit: Veilith v0.9 - P2P Encrypted Messenger Military-grade secure messenger with: - End-to-End Encryption (Noise Protocol XX) - Forward Secrecy (automatic session rotation) - Anti-Traffic Analysis (padding + cover traffic) - Secure Deletion (DOD 5220.22-M) - Tor Integration (embedded with bridge support) - Portable Mode (no installation required) Generated with Claude Code --- SECURITY.md | 93 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 SECURITY.md (limited to 'SECURITY.md') diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..fedabad --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,93 @@ +# Security Policy + +## Supported Versions + +Currently, Veilith is in active development (version 0.9). Security updates are applied to the latest version only. + +| Version | Supported | +| ------- | ------------------ | +| 0.9.x | :white_check_mark: | +| < 0.9 | :x: | + +## Reporting a Vulnerability + +**DO NOT** open public GitHub issues for security vulnerabilities. + +If you discover a security vulnerability in Veilith, please report it responsibly: + +### Preferred Method: Encrypted Email + +1. Use PGP/GPG encryption for sensitive reports +2. Send to: [Create a secure contact method] +3. Include: + - Description of the vulnerability + - Steps to reproduce + - Potential impact + - Suggested fix (if available) + +### Response Timeline + +- **Initial Response**: Within 48 hours +- **Vulnerability Assessment**: Within 7 days +- **Fix Timeline**: Depends on severity + - Critical: 1-7 days + - High: 7-14 days + - Medium: 14-30 days + - Low: Next scheduled release + +## Security Features + +Veilith implements multiple layers of defense: + +- **End-to-End Encryption**: Noise Protocol (XX pattern) +- **Forward Secrecy**: Automatic session key rotation +- **Anti-Traffic Analysis**: Padding + cover traffic +- **Secure Deletion**: DOD 5220.22-M wiping +- **Transport Security**: Tor + Bridge support +- **Zero Metadata**: No persistent logs + +## Out of Scope + +The following are considered **out of scope** for security reports: + +- Social engineering attacks +- Physical access attacks +- DoS/DDoS attacks +- Issues in third-party dependencies (report upstream) +- Theoretical attacks without practical exploit + +## Disclosure Policy + +- Security researchers will be credited (with permission) +- Public disclosure after fix is released +- CVE will be requested for critical vulnerabilities +- Security advisory published on GitHub + +## Security Best Practices + +Users should: + +1. Keep Veilith updated to the latest version +2. Verify binary signatures before installation +3. Use portable mode on untrusted systems +4. Enable emergency wipe if at risk +5. Verify contact fingerprints out-of-band +6. Use Tor bridges in hostile environments + +## Cryptographic Implementation + +Veilith uses well-audited cryptographic libraries: + +- **Noise Protocol**: `flynn/noise` (Go implementation) +- **Tor**: Embedded Tor with authenticated bridges +- **RNG**: System cryptographic RNG (`crypto/rand`) + +We **never** implement custom cryptography. + +## Bug Bounty + +Currently, Veilith does not offer a paid bug bounty program. However, we deeply appreciate responsible disclosure and will publicly credit researchers (with permission). + +--- + +**Last Updated**: 2026-04-10 -- cgit v1.2.3