|
2 | 2 |
|
3 | 3 | ## Supported Versions |
4 | 4 |
|
5 | | -We take security seriously. The following versions of Shadowforge are currently supported with security updates: |
6 | | - |
7 | | -| Version | Supported | Status | |
8 | | -| ------- | ------------------ | ------ | |
9 | | -| 0.7.x | :white_check_mark: | Current stable release | |
10 | | -| < 0.7.0 | :x: | No longer supported | |
| 5 | +| Version | Supported | |
| 6 | +| ------- | ------------------ | |
| 7 | +| 0.7.x | :white_check_mark: | |
| 8 | +| < 0.7 | :x: | |
11 | 9 |
|
12 | 10 | ## Reporting a Vulnerability |
13 | 11 |
|
14 | 12 | **Please do not report security vulnerabilities through public GitHub issues.** |
15 | 13 |
|
16 | | -If you discover a security vulnerability in Shadowforge, please report it responsibly: |
17 | | - |
18 | | -### Primary Contact |
| 14 | +Instead, please report them via: |
19 | 15 |
|
20 | | -- **Email**: <s0ma@protonmail.com> (if available) or open a [private security advisory](https://github.com/greysquirr3l/shadowforge/security/advisories/new) |
21 | | -- **Response Time**: We aim to respond within 48 hours |
| 16 | +1. **Email**: Send details to the repository owner |
| 17 | +2. **Private Security Advisory**: Use GitHub's [private vulnerability reporting](https://github.com/greysquirr3l/shadowforge/security/advisories/new) |
22 | 18 |
|
23 | 19 | ### What to Include |
24 | 20 |
|
25 | | -Please include the following information in your report: |
26 | | - |
27 | | -- **Description**: A clear description of the vulnerability |
28 | | -- **Impact**: The potential impact and severity |
29 | | -- **Steps to Reproduce**: Detailed steps to reproduce the issue |
30 | | -- **Proof of Concept**: Any PoC code or examples (if applicable) |
31 | | -- **Affected Versions**: Which versions are affected |
32 | | -- **Suggested Fix**: If you have a suggested remediation (optional) |
33 | | - |
34 | | -### Security Scope |
35 | | - |
36 | | -We are particularly interested in vulnerabilities related to: |
37 | | - |
38 | | -- ✅ **Cryptographic Operations**: Kyber-1024, Dilithium3, key generation, encryption/decryption |
39 | | -- ✅ **Steganographic Techniques**: LSB, DCT, Phase, Echo, Palette, Text, LSB-Audio |
40 | | -- ✅ **Reed-Solomon Error Correction**: Encoding/decoding, shard recovery |
41 | | -- ✅ **Archive Handling**: Zip slip, path traversal, malicious archives |
42 | | -- ✅ **Input Validation**: Command injection, file path manipulation |
43 | | -- ✅ **Memory Safety**: Buffer overflows, memory leaks, sensitive data exposure |
44 | | -- ✅ **Side-Channel Attacks**: Timing attacks, cache attacks on cryptographic operations |
45 | | -- ✅ **Authentication/Authorization**: Key management, access control |
46 | | - |
47 | | -### Out of Scope |
48 | | - |
49 | | -The following are generally **not** considered security vulnerabilities: |
50 | | - |
51 | | -- ❌ Vulnerabilities in dependencies (report to upstream projects) |
52 | | -- ❌ Social engineering attacks |
53 | | -- ❌ Denial of service through resource exhaustion (expected behavior for large files) |
54 | | -- ❌ Issues in unsupported versions (< 0.7.0) |
55 | | -- ❌ Theoretical attacks without practical exploitation |
56 | | - |
57 | | -## Responsible Disclosure Policy |
58 | | - |
59 | | -We follow a **90-day disclosure timeline**: |
| 21 | +Please include the following information: |
60 | 22 |
|
61 | | -1. **Day 0**: You report the vulnerability privately |
62 | | -2. **Day 1-7**: We acknowledge receipt and begin investigation |
63 | | -3. **Day 7-30**: We develop and test a fix |
64 | | -4. **Day 30-60**: We prepare a security release |
65 | | -5. **Day 60-90**: We coordinate disclosure with you |
66 | | -6. **Day 90**: Public disclosure (or earlier if mutually agreed) |
| 23 | +- **Type of vulnerability** (e.g., timing attack, memory leak, cryptographic flaw) |
| 24 | +- **Full description** of the vulnerability |
| 25 | +- **Steps to reproduce** the issue |
| 26 | +- **Potential impact** and attack scenarios |
| 27 | +- **Affected versions** |
| 28 | +- **Suggested fix** (if known) |
67 | 29 |
|
68 | | -### Credit and Recognition |
| 30 | +### Response Timeline |
69 | 31 |
|
70 | | -- We will credit you in the security advisory (unless you prefer to remain anonymous) |
71 | | -- We maintain a [Security Hall of Fame](https://github.com/greysquirr3l/shadowforge/security/advisories) for responsible disclosures |
72 | | -- Critical vulnerabilities may be eligible for recognition |
| 32 | +- **Initial Response**: Within 48 hours |
| 33 | +- **Status Update**: Within 7 days |
| 34 | +- **Fix Timeline**: Depends on severity |
| 35 | + - Critical: < 7 days |
| 36 | + - High: < 14 days |
| 37 | + - Medium: < 30 days |
| 38 | + - Low: Next release cycle |
73 | 39 |
|
74 | 40 | ## Security Best Practices |
75 | 41 |
|
76 | | -When using Shadowforge, follow these security guidelines: |
| 42 | +When using Shadowforge: |
77 | 43 |
|
78 | | -### Cryptographic Operations |
| 44 | +1. **Always verify checksums** of downloaded binaries |
| 45 | +2. **Use strong passwords** for encrypted archives |
| 46 | +3. **Keep dependencies updated** (check releases regularly) |
| 47 | +4. **Run in isolated environments** when processing untrusted media |
| 48 | +5. **Review security audit reports** before deploying |
79 | 49 |
|
80 | | -- ✅ **Always verify signatures** before trusting extracted data |
81 | | -- ✅ **Use strong passphrases** for key derivation (20+ characters) |
82 | | -- ✅ **Rotate keys regularly** for long-term deployments |
83 | | -- ✅ **Securely store private keys** (use hardware security modules if possible) |
84 | | -- ❌ **Never reuse keys** across different contexts |
85 | | - |
86 | | -### Steganographic Operations |
87 | | - |
88 | | -- ✅ **Use high-quality cover media** to minimize detectability |
89 | | -- ✅ **Monitor capacity limits** to avoid overwriting critical data |
90 | | -- ✅ **Validate extracted data** for corruption or tampering |
91 | | -- ✅ **Use Reed-Solomon encoding** for error correction (30% redundancy recommended) |
92 | | -- ❌ **Don't embed in compressed media** (JPEG quality > 85 recommended) |
93 | | - |
94 | | -### Archive Operations |
95 | | - |
96 | | -- ✅ **Validate archive contents** before extraction |
97 | | -- ✅ **Extract to isolated directories** to prevent path traversal |
98 | | -- ✅ **Scan archives for malware** before processing |
99 | | -- ✅ **Limit archive sizes** to prevent resource exhaustion |
100 | | -- ❌ **Never auto-extract untrusted archives** |
101 | | - |
102 | | -### Operational Security |
103 | | - |
104 | | -- ✅ **Run with least privilege** (don't use root/admin unless required) |
105 | | -- ✅ **Use secure channels** for key exchange (never email keys) |
106 | | -- ✅ **Audit all operations** in production environments |
107 | | -- ✅ **Keep software updated** to the latest stable version |
108 | | -- ❌ **Never log sensitive data** (keys, payloads, passphrases) |
109 | | - |
110 | | -## Security Audits |
111 | | - |
112 | | -Shadowforge undergoes regular security reviews: |
| 50 | +## Known Security Considerations |
113 | 51 |
|
114 | | -- **Code Reviews**: All cryptographic code is peer-reviewed |
115 | | -- **Dependency Scanning**: Automated vulnerability scanning with `go list -m all | nancy sleuth` |
116 | | -- **Static Analysis**: `go vet` and `golangci-lint` on every commit |
117 | | -- **Penetration Testing**: Periodic security assessments (planned) |
| 52 | +### Timing Attacks |
118 | 53 |
|
119 | | -## Known Security Considerations |
| 54 | +- Shadowforge uses constant-time comparison for cryptographic operations |
| 55 | +- Some non-cryptographic code may have timing variations (documented in audit) |
120 | 56 |
|
121 | | -### Post-Quantum Cryptography |
| 57 | +### File Processing |
122 | 58 |
|
123 | | -- **Kyber-1024**: NIST standardized (FIPS 203) - secure against quantum attacks |
124 | | -- **Dilithium3**: NIST standardized (FIPS 204) - quantum-resistant signatures |
125 | | -- **Implementation**: Uses Cloudflare CIRCL library (audited) |
| 59 | +- All archive extraction includes zip-slip protection |
| 60 | +- File size limits enforced to prevent resource exhaustion |
| 61 | +- Sanitization applied to all media inputs |
126 | 62 |
|
127 | | -### Steganographic Detection |
| 63 | +### Cryptographic Guarantees |
128 | 64 |
|
129 | | -- **Statistical Analysis**: LSB/DCT techniques detectable with RS/Chi-square analysis |
130 | | -- **Mitigation**: Use high-quality media, stay under capacity limits, apply ±1 LSB matching |
131 | | -- **Recommendation**: Combine multiple techniques with chaining for enhanced security |
| 65 | +- Post-quantum security via Kyber-1024 (KEM) and Dilithium3 (signatures) |
| 66 | +- AES-GCM for symmetric encryption |
| 67 | +- Argon2id for key derivation |
| 68 | +- HMAC-SHA256 for message authentication |
132 | 69 |
|
133 | | -### Reed-Solomon Error Correction |
| 70 | +## Security Audit |
134 | 71 |
|
135 | | -- **Redundancy Trade-off**: Higher redundancy = better recovery but larger payload |
136 | | -- **Recommendation**: 30% redundancy (3 parity shards per 10 data shards) for standard use |
137 | | -- **Critical Data**: Use 50%+ redundancy for high-reliability requirements |
| 72 | +Latest security audit: [SECURITY_AUDIT_REPORT.md](./SECURITY_AUDIT_REPORT.md) |
| 73 | +Date: December 21, 2025 |
| 74 | +Version: 0.7.6 |
138 | 75 |
|
139 | | -## Contact |
| 76 | +## Hall of Fame |
140 | 77 |
|
141 | | -- **General Security**: <s0ma@protonmail.com> (if available) |
142 | | -- **GitHub Security Advisories**: [Create Private Advisory](https://github.com/greysquirr3l/shadowforge/security/advisories/new) |
143 | | -- **Project Maintainer**: [@greysquirr3l](https://github.com/greysquirr3l) |
| 78 | +Contributors who have responsibly disclosed vulnerabilities will be acknowledged here (with their permission). |
144 | 79 |
|
145 | 80 | --- |
146 | 81 |
|
147 | 82 | **Last Updated**: December 21, 2025 |
148 | | -**Version**: 0.7.5 |
0 commit comments