security policy

coordinated vulnerability disclosure

all security research follows coordinated vulnerability disclosure (cvd).

reporting a vulnerability

if you find a security issue in 1seal:

  1. do not open a public GitHub issue
  2. email: security@1seal.org
  3. include:
    • description of the vulnerability
    • steps to reproduce
    • potential impact
    • suggested fixes (optional)

what to expect

  • acknowledgment target: 48 hours (not a guarantee)
  • initial assessment target: 7 days (not a guarantee)
  • regular updates while remediation is in progress
  • credit in advisory (unless you prefer anonymity)

scope

this policy covers:

  • 1seal specifications and protocols
  • documentation that could lead to security issues

out of scope:

  • social engineering attacks
  • denial of service attacks that don't exploit a bug
  • issues in dependencies (report to upstream)

disclosure timeline

targets (not guarantees):

  • fix critical issues within 14 days
  • fix high severity within 30 days
  • fix medium/low within 90 days

disclosure timing is coordinated with reporters. disclosure does not occur before fixes are available unless there's active exploitation.

our research

security research on trust infrastructure follows the same cvd principles:

  • report through appropriate channels
  • provide reasonable time for fixes
  • do not disclose details until fixes are released
  • coordinate on disclosure timing with maintainers

public statements about research reference only published advisories where fixes are released and credit is visible.