| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously in QSSH, especially given its role in secure communications.
Please report security vulnerabilities through one of these channels:
- Email: sylvain@paraxiom.org
- GitHub Security Advisories: Use the Security tab in this repository
- Encrypted Communication: Use our PGP key (available in the repository)
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Resolution Target: Within 30 days for critical issues
We follow responsible disclosure:
- Reporter submits vulnerability privately
- We acknowledge and investigate
- We develop and test a fix
- We release the fix
- We publicly disclose the vulnerability after users have had time to update
QSSH uses NIST-approved post-quantum algorithms:
- Falcon-512: Digital signatures
- SPHINCS+: Alternative signatures (stateless)
- Kyber: Key encapsulation
- Written in Rust for memory safety
- No unsafe code in cryptographic operations
- Regular dependency updates
- Continuous security testing
- This is a new implementation - use with appropriate caution
- Not yet externally audited
- Should be used alongside defense-in-depth strategies
We currently don't offer a formal bug bounty program, but we deeply appreciate security researchers who help improve QSSH. Contributors will be acknowledged (unless they prefer to remain anonymous).
For any security concerns, please reach out. We appreciate your help in keeping QSSH secure.