# Security Policy ## Supported Versions Currently, Khimera is in active development (version 0.9). Security updates are applied to the latest version only. | Version | Supported | | ------- | ------------------ | | 0.9.x | :white_check_mark: | | < 0.9 | :x: | ## Reporting a Vulnerability **DO NOT** open public GitHub issues for security vulnerabilities. If you discover a security vulnerability in Khimera, please report it responsibly: ### Preferred Method: Encrypted Email 1. Use PGP/GPG encryption for sensitive reports 2. Send to: [Create a secure contact method] 3. Include: - Description of the vulnerability - Steps to reproduce - Potential impact - Suggested fix (if available) ### Response Timeline - **Initial Response**: Within 48 hours - **Vulnerability Assessment**: Within 7 days - **Fix Timeline**: Depends on severity - Critical: 1-7 days - High: 7-14 days - Medium: 14-30 days - Low: Next scheduled release ## Security Features Khimera implements multiple layers of defense: - **End-to-End Encryption**: Noise Protocol (XX pattern) - **Forward Secrecy**: Automatic session key rotation - **Anti-Traffic Analysis**: Padding + cover traffic - **Secure Deletion**: DOD 5220.22-M wiping - **Transport Security**: Tor + Bridge support - **Zero Metadata**: No persistent logs ## Out of Scope The following are considered **out of scope** for security reports: - Social engineering attacks - Physical access attacks - DoS/DDoS attacks - Issues in third-party dependencies (report upstream) - Theoretical attacks without practical exploit ## Disclosure Policy - Security researchers will be credited (with permission) - Public disclosure after fix is released - CVE will be requested for critical vulnerabilities - Security advisory published on GitHub ## Security Best Practices Users should: 1. Keep Khimera updated to the latest version 2. Verify binary signatures before installation 3. Use portable mode on untrusted systems 4. Enable emergency wipe if at risk 5. Verify contact fingerprints out-of-band 6. Use Tor bridges in hostile environments ## Cryptographic Implementation Khimera uses well-audited cryptographic libraries: - **Noise Protocol**: `flynn/noise` (Go implementation) - **Tor**: Embedded Tor with authenticated bridges - **RNG**: System cryptographic RNG (`crypto/rand`) We **never** implement custom cryptography. ## Bug Bounty Currently, Khimera does not offer a paid bug bounty program. However, we deeply appreciate responsible disclosure and will publicly credit researchers (with permission). --- **Last Updated**: 2026-04-10