@akaoio/gun is a security-hardened fork of GUN with enterprise-grade cryptographic enhancements and WebAuthn support. Security is our absolute top priority, and this fork includes significant security improvements over the original GUN implementation while maintaining full backward compatibility.
This fork addresses several critical security areas with substantial improvements:
- Hardware Security Keys: Full support for YubiKey, Titan, FIDO2 keys
- Biometric Authentication: Face ID, Touch ID, Windows Hello integration
- Enhanced Authentication Flow: Seamless WebAuthn integration with existing GUN user APIs
- Multi-Factor Authentication: Hardware-backed second factor authentication
- Deterministic Key Generation: Reproducible cryptographic keys from seeds
- Enhanced ECC Validation: Complete elliptic curve point validation with missing B parameter fix
- ArrayBuffer Support: Modern binary data operations for crypto functions
- PBKDF2 Hardening: Improved salt handling and numeric conversion security
- Attack Prevention: Enhanced user object destructuring to prevent common attacks
- Secure Options: Localized options in SEA.check.pub to prevent manipulation
- Signature Validation: Improved WebAuthn signature handling and verification
- Vulnerability Fixes: Multiple security patches for known cryptographic issues
We provide security updates for the following versions:
| Version | Supported | Security Enhancements |
|---|---|---|
| @akaoio/gun 0.2020.x | ✅ Recommended | Full security suite + WebAuthn |
| Original GUN 0.2020.x | Original security only | |
| < 0.2020 | ❌ Not supported | Deprecated |
Migration Recommendation: For new projects and security-sensitive applications, use @akaoio/gun for enhanced security features while maintaining full compatibility.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.
When reporting vulnerabilities, please include the following details:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact if left unaddressed
- Suggested mitigation or resolution if any
We aim to confirm the receipt of your vulnerability report within 48 hours. Depending on the severity and complexity of the issue, we strive to investigate the issue and provide an initial response within a week.
If the vulnerability is confirmed, we will work on a fix and plan a release. We ask that you do not publicly disclose the issue until it has been addressed by us.
We follow industry-standard security practices with additional enhancements:
- Cryptographic Best Practices: All crypto operations use vetted algorithms and implementations
- WebAuthn Compliance: Full FIDO2/WebAuthn specification compliance for hardware authentication
- Regular Security Audits: Continuous code review and security testing of enhancements
- Vulnerability Management: Proactive identification and remediation of security issues
- Secure Development: Security-first approach to all new features and improvements
- ECC Curve Validation: Complete point validation prevents invalid curve attacks
- Deterministic Security: Reproducible key generation with cryptographically secure seeds
- Memory Safety: Proper handling of sensitive cryptographic material
- Timing Attack Prevention: Constant-time operations where cryptographically relevant
We will communicate any security updates through our standard communication channels, including our project's release notes and official website.
We greatly value the work of security researchers and believe that responsible disclosure of vulnerabilities is a valuable contribution to the security of the Internet. We encourage users to contribute to the security of our project by reporting any security-related issues to us.