chore(deps): bump the dependencies group with 2 updates

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    groups:
+      dependencies:
+        patterns:
+          - "*"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,41 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '37 7 * * 0'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['go']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "/language:${{ matrix.language }}"

.well-known/security.txt

@@ -0,0 +1,4 @@
+Contact: mailto:codethor@gmail.com
+Preferred-Languages: en
+Canonical: https://github.com/codethor0/deadend-lab/blob/main/.well-known/security.txt
+Policy: https://github.com/codethor0/deadend-lab/blob/main/SECURITY.md

README.md

@@ -173,6 +173,16 @@ Include:
 
 Contributions welcome: break NAIVE via demos, add attacks as `cmd/attacks/*`, add invariants/policy tests (do not weaken existing ones). File issues with repro steps and `make release-check` output.
 
+## Security Features
+
+- **Private vulnerability reporting**: Report vulnerabilities privately via GitHub.
+- **Dependabot alerts**: Automatic monitoring of Go module vulnerabilities.
+- **CodeQL scanning**: Static analysis for security and code quality.
+- **Secret scanning**: Detection of accidentally committed secrets.
+- **Security policy**: See [SECURITY.md](SECURITY.md).
+
+To report security issues: use [Private vulnerability reporting](https://github.com/codethor0/deadend-lab/security/advisories/new) or email codethor@gmail.com.
+
 ## Author / Maintainer
 
 - **Thor Thor**

SECURITY.md

@@ -18,7 +18,8 @@ This project is a **research and CTF (Capture The Flag) harness** for studying D
 
 If you discover a vulnerability in this research harness:
 
-1. **For research/CTF issues:** Open a GitHub Issue in this repository.
-2. **For sensitive disclosures:** Contact the maintainers privately (see README maintainers section) if the finding could affect other research tooling or documentation.
+1. **Preferred:** Use [Private vulnerability reporting](https://github.com/codethor0/deadend-lab/security/advisories/new) on GitHub.
+2. **Alternative:** Email codethor@gmail.com with details.
+3. **For research/CTF issues:** Open a GitHub Issue in this repository.
 
 We do not offer bug bounties. This is a learning and research project.

go.mod

@@ -1,10 +1,10 @@
 module deadend-lab
 
-go 1.22
+go 1.22.0
 
 require (
-	github.com/cloudflare/circl v1.3.7
-	golang.org/x/crypto v0.22.0
+	github.com/cloudflare/circl v1.6.3
+	golang.org/x/crypto v0.30.0
 )
 
-require golang.org/x/sys v0.19.0 // indirect
+require golang.org/x/sys v0.28.0 // indirect

go.sum

@@ -1,6 +1,6 @@
-github.com/cloudflare/circl v1.3.7 h1:qlCDlTPz2n9fu58M0Nh1J/JzcFpfgkFHHX3O35r5vcU=
-github.com/cloudflare/circl v1.3.7/go.mod h1:sRTcRWXGLrKw6yIGJ+l7amYJFfAXbZG0kBSc8r4zxgA=
-golang.org/x/crypto v0.22.0 h1:g1v0xeRhjcugydODzvb3mEM9SQ0HGp9s/nh3COQ/C30=
-golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
-golang.org/x/sys v0.19.0 h1:q5f1RH2jigJ1MoAWp2KTp3gm5zAGFUTarQZ5U386+4o=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
+golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=