| Version | Supported |
|---|---|
| 0.7.x | ✅ |
| < 0.7 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via:
- Email: Send details to the repository owner
- Private Security Advisory: Use GitHub's private vulnerability reporting
Please include the following information:
- Type of vulnerability (e.g., timing attack, memory leak, cryptographic flaw)
- Full description of the vulnerability
- Steps to reproduce the issue
- Potential impact and attack scenarios
- Affected versions
- Suggested fix (if known)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity
- Critical: < 7 days
- High: < 14 days
- Medium: < 30 days
- Low: Next release cycle
When using Shadowforge:
- Always verify checksums of downloaded binaries
- Use strong passwords for encrypted archives
- Keep dependencies updated (check releases regularly)
- Run in isolated environments when processing untrusted media
- Review security audit reports before deploying
- Shadowforge uses constant-time comparison for cryptographic operations
- Some non-cryptographic code may have timing variations (documented in audit)
- All archive extraction includes zip-slip protection
- File size limits enforced to prevent resource exhaustion
- Sanitization applied to all media inputs
- Post-quantum security via Kyber-1024 (KEM) and Dilithium3 (signatures)
- AES-GCM for symmetric encryption
- Argon2id for key derivation
- HMAC-SHA256 for message authentication
Latest security audit: SECURITY_AUDIT_REPORT.md Date: December 21, 2025 Version: 0.7.6
Contributors who have responsibly disclosed vulnerabilities will be acknowledged here (with their permission).
Last Updated: December 21, 2025