| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue in Post-Incident-Proofs, please follow these steps:
Security vulnerabilities should be reported privately to prevent exploitation.
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution: Within 30 days (depending on complexity)
- Vulnerabilities will be disclosed publicly after a fix is available
- Credit will be given to reporters in the security advisory
- Coordinated disclosure with affected parties when necessary
Post-Incident-Proofs includes several security features:
- HMAC-SHA256 signatures for log chain integrity
- SHA-256 hashing for bundle verification
- Monotonic counters to prevent replay attacks
- < 200ms detection of log modifications
- Zero false negatives in tamper detection
- Formal verification of detection algorithms
- Sliding-window algorithm with formal proofs
- ≤ 0.1% false positives under load
- Zero false negatives guaranteed
- Diff/patch operations with proven invertibility
- 10k cycle stress testing on large checkpoints
- Bit-identical verification after apply/revert
- Key Management: Store HMAC keys securely
- Access Control: Limit access to log files and bundles
- Monitoring: Use auto-generated dashboards for security monitoring
- Updates: Keep Post-Incident-Proofs updated to latest version
- Code Review: All changes require security review
- Testing: Run security tests before deployment
- Dependencies: Keep dependencies updated
- Documentation: Document security assumptions and properties
We maintain comprehensive security testing:
- Fuzz Testing: Automated input testing with AFL++
- Chaos Testing: High-load stress testing at 30k rps
- Cryptographic Validation: Formal verification of cryptographic properties
- Penetration Testing: Regular security assessments
We follow responsible disclosure practices:
- Private Reporting: Security issues reported privately
- Timely Response: Quick response to security reports
- Coordinated Release: Fixes released with security advisories
- Credit Given: Proper attribution to security researchers
We thank the security research community for their contributions to making Post-Incident-Proofs more secure.