From 9ffa7148799e9456e0ca2a9f05ea64da95d3d652 Mon Sep 17 00:00:00 2001
From: Thor Thor <codethor@gmail.com>
Date: Mon, 9 Feb 2026 22:09:43 -0600
Subject: [PATCH 1/2] security: Dependabot, CodeQL, security.txt, private
 reporting docs

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/dependabot.yml                | 10 +++++++
 .github/workflows/codeql-analysis.yml | 41 +++++++++++++++++++++++++++
 .well-known/security.txt              |  4 +++
 README.md                             | 10 +++++++
 SECURITY.md                           |  5 ++--
 5 files changed, 68 insertions(+), 2 deletions(-)
 create mode 100644 .github/dependabot.yml
 create mode 100644 .github/workflows/codeql-analysis.yml
 create mode 100644 .well-known/security.txt

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..e547c35
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependencies:
+        patterns:
+          - "*"
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
new file mode 100644
index 0000000..7f8878d
--- /dev/null
+++ b/.github/workflows/codeql-analysis.yml
@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '37 7 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"
diff --git a/.well-known/security.txt b/.well-known/security.txt
new file mode 100644
index 0000000..634d7bb
--- /dev/null
+++ b/.well-known/security.txt
@@ -0,0 +1,4 @@
+Contact: mailto:codethor@gmail.com
+Preferred-Languages: en
+Canonical: https://github.com/codethor0/deadend-lab/blob/main/.well-known/security.txt
+Policy: https://github.com/codethor0/deadend-lab/blob/main/SECURITY.md
diff --git a/README.md b/README.md
index 2cb7c73..48b7b42 100644
--- a/README.md
+++ b/README.md
@@ -173,6 +173,16 @@ Include:
 
 Contributions welcome: break NAIVE via demos, add attacks as `cmd/attacks/*`, add invariants/policy tests (do not weaken existing ones). File issues with repro steps and `make release-check` output.
 
+## Security Features
+
+- **Private vulnerability reporting**: Report vulnerabilities privately via GitHub.
+- **Dependabot alerts**: Automatic monitoring of Go module vulnerabilities.
+- **CodeQL scanning**: Static analysis for security and code quality.
+- **Secret scanning**: Detection of accidentally committed secrets.
+- **Security policy**: See [SECURITY.md](SECURITY.md).
+
+To report security issues: use [Private vulnerability reporting](https://github.com/codethor0/deadend-lab/security/advisories/new) or email codethor@gmail.com.
+
 ## Author / Maintainer
 
 - **Thor Thor**
diff --git a/SECURITY.md b/SECURITY.md
index 9e392e6..e4dbe66 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -18,7 +18,8 @@ This project is a **research and CTF (Capture The Flag) harness** for studying D
 
 If you discover a vulnerability in this research harness:
 
-1. **For research/CTF issues:** Open a GitHub Issue in this repository.
-2. **For sensitive disclosures:** Contact the maintainers privately (see README maintainers section) if the finding could affect other research tooling or documentation.
+1. **Preferred:** Use [Private vulnerability reporting](https://github.com/codethor0/deadend-lab/security/advisories/new) on GitHub.
+2. **Alternative:** Email codethor@gmail.com with details.
+3. **For research/CTF issues:** Open a GitHub Issue in this repository.
 
 We do not offer bug bounties. This is a learning and research project.

From 9277891646e767a741c983a082d1017a36bf69b0 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 10 Feb 2026 04:10:31 +0000
Subject: [PATCH 2/2] chore(deps): bump the dependencies group with 2 updates

Bumps the dependencies group with 2 updates: [github.com/cloudflare/circl](https://github.com/cloudflare/circl) and [golang.org/x/crypto](https://github.com/golang/crypto).


Updates `github.com/cloudflare/circl` from 1.3.7 to 1.6.3
- [Release notes](https://github.com/cloudflare/circl/releases)
- [Commits](https://github.com/cloudflare/circl/compare/v1.3.7...v1.6.3)

Updates `golang.org/x/crypto` from 0.22.0 to 0.30.0
- [Commits](https://github.com/golang/crypto/compare/v0.22.0...v0.30.0)

---
updated-dependencies:
- dependency-name: github.com/cloudflare/circl
  dependency-version: 1.6.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
- dependency-name: golang.org/x/crypto
  dependency-version: 0.30.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 go.mod |  8 ++++----
 go.sum | 12 ++++++------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/go.mod b/go.mod
index 399b319..3ae8e2e 100644
--- a/go.mod
+++ b/go.mod
@@ -1,10 +1,10 @@
 module deadend-lab
 
-go 1.22
+go 1.22.0
 
 require (
-	github.com/cloudflare/circl v1.3.7
-	golang.org/x/crypto v0.22.0
+	github.com/cloudflare/circl v1.6.3
+	golang.org/x/crypto v0.30.0
 )
 
-require golang.org/x/sys v0.19.0 // indirect
+require golang.org/x/sys v0.28.0 // indirect
diff --git a/go.sum b/go.sum
index a358892..a15eb94 100644
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,6 @@
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
+golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=