# Security Policy

## Supported Versions

| Version | Supported          |
|---------|--------------------|
| 0.x     | Yes                |

## Reporting a Vulnerability

**Do not open a public issue for security vulnerabilities.**

Email security reports to: **security@bimo.studio**

Include:
- Description of the vulnerability
- Steps to reproduce
- Affected component (crypto, transport, SAM, router, etc.)
- Impact assessment if known

We will acknowledge receipt within 48 hours and provide an initial
assessment within 7 days.

## Scope

This project implements cryptographic protocols (AES-256-CBC,
ChaCha20-Poly1305, Ed25519, X25519, ElGamal, Noise XK) and anonymous
network transports (NTCP2, SSU2). Security issues in any of these
components are considered critical.

Areas of particular interest:
- Timing side channels in crypto operations
- Nonce reuse or overflow in stream ciphers
- Key material exposure in memory or logs
- Authentication bypass in SAM bridge
- Deanonymization vectors in tunnel construction

## Disclosure Policy

We follow coordinated disclosure. We will:
1. Confirm the vulnerability
2. Develop and test a fix
3. Release a patched version
4. Credit the reporter (unless anonymity is requested)

We aim to release fixes within 30 days of confirmation.