| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of GhostWire seriously. If you believe you have found a security vulnerability, please report it responsibly:
- Email: mirungu015@proton.me
- PGP Key: Request via email
- Response time: Within 48 hours
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix timeline: Depends on severity
- Critical: 7 days
- High: 14 days
- Medium: 30 days
- Low: Next release
- Cryptographic implementations (Sphinx, DTN encryption)
- CI/CD pipeline security
- Crate publishing integrity
- Secret management
- Dependency supply chain
- Issues in dependencies (report to upstream maintainers)
- Social engineering attacks
- Physical security
- All actions in CI/CD are SHA-pinned
- Branch protection enabled on
main - Least-privilege workflow permissions
- Egress monitoring via
step-security/harden-runner - No self-hosted runners (GitHub-hosted only)