distributed.camp
A Python port of the Invisible Internet Project (I2P)
1# Security Policy
2
3## Supported Versions
4
5| Version | Supported |
6|---------|--------------------|
7| 0.x | Yes |
8
9## Reporting a Vulnerability
10
11**Do not open a public issue for security vulnerabilities.**
12
13Email security reports to: **security@bimo.studio**
14
15Include:
16- Description of the vulnerability
17- Steps to reproduce
18- Affected component (crypto, transport, SAM, router, etc.)
19- Impact assessment if known
20
21We will acknowledge receipt within 48 hours and provide an initial
22assessment within 7 days.
23
24## Scope
25
26This project implements cryptographic protocols (AES-256-CBC,
27ChaCha20-Poly1305, Ed25519, X25519, ElGamal, Noise XK) and anonymous
28network transports (NTCP2, SSU2). Security issues in any of these
29components are considered critical.
30
31Areas of particular interest:
32- Timing side channels in crypto operations
33- Nonce reuse or overflow in stream ciphers
34- Key material exposure in memory or logs
35- Authentication bypass in SAM bridge
36- Deanonymization vectors in tunnel construction
37
38## Disclosure Policy
39
40We follow coordinated disclosure. We will:
411. Confirm the vulnerability
422. Develop and test a fix
433. Release a patched version
444. Credit the reporter (unless anonymity is requested)
45
46We aim to release fixes within 30 days of confirmation.