Project

Security Policy

Reporting a vulnerability

Email andri@andri.is. If you need encryption for the report itself, say so in a first plaintext mail and a key will be provided (a published PGP key will be added here before any code ships).

Please include: affected component/doc section, impact as you understand it, and reproduction steps or a proof-of-concept where applicable.

What to expect

  • Acknowledgment within 72 hours.
  • Assessment and a remediation plan within 14 days for confirmed issues.
  • Credit in release notes (or anonymity, your choice). No bounty program yet — this is an unfunded open project; recognition is what we have.

Ground rules

  • Coordinated disclosure: please give us the 14-day assessment window before publishing.
  • During the current design phase (M0), flaws in the specifications — threat-model gaps, broken constructions, unstated assumptions in docs/04-cryptography.md — are in scope and especially valuable. Finding them now is cheap; finding them after M1 is not.

Scope notes

Accepted limitations documented in 02 — Threat Model §4 (e.g. persistently compromised endpoints, LoRa radio observability, global passive adversaries) are known trade-offs, not vulnerabilities — but arguments that a documented limitation is understated are very much in scope.

Edit this page on GitHub ↗