| Version | Supported |
|---|---|
| >= 0.3.2 | Yes |
| < 0.3.2 | No |
OWS handles private keys and signing operations. We take security seriously.
Do not open a public issue for security vulnerabilities.
Instead, please email security@dawnlabs.ai with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will acknowledge your report within 48 hours and aim to provide a fix or mitigation within 7 days for critical issues.
The following are in scope for security reports:
- Key material exposure or leakage
- Bypass of the policy engine
- Signing process key isolation failures
- Vault encryption weaknesses
- Path traversal or unauthorized file access
- Dependency vulnerabilities with a viable exploit path
- We follow coordinated disclosure. Please give us reasonable time to address the issue before any public disclosure.
- Credit will be given to reporters in the release notes (unless anonymity is preferred).
For details on how OWS protects key material, see: