This project implements post-quantum cryptographic primitives to ensure long-term security against quantum computing threats.
- Signatures: Ed448 (Elliptic Curve Digital Signature Algorithm, NIST Level 3)
- Key Exchange: Kyber1024 (CRYSTALS-Kyber, NIST PQC Round 3 Finalist)
- Hashing: BLAKE3 (cryptographic hash function, faster than SHA-3)
- Additional: SHAKE256 for extendable-output functions
- Strong Primes: Generated from flat distribution (d256 entropy)
- Quantum Resistance: All cryptographic primitives are designed to resist attacks from quantum computers
- Memory Safety: Deno runtime provides V8 sandbox isolation
- Type Safety: TypeScript strict mode + ReScript functional guarantees
- No Unsafe Code: Zero usage of
unsafeblocks or FFI without verification - Supply Chain: Dependencies verified via lockfile, SBOM available
| Version | Supported | End of Life |
|---|---|---|
| 2.x | ✅ Full support | TBD |
| 1.x | 2025-06-01 | |
| < 1.0 | ❌ No support | 2024-01-15 |
Security contact: security@example.com PGP Key: Download Key Response Time: Within 48 hours Disclosure Timeline: 90 days coordinated disclosure
- DO NOT open a public GitHub issue for security vulnerabilities
- Email security@example.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested remediation (if any)
- Use PGP encryption for sensitive details
- Include "SECURITY:" prefix in email subject
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Status Updates: Every 14 days until resolved
- CVE Assignment: If severity warrants (CVSS ≥ 7.0)
- Public Disclosure: Coordinated after patch release (90 days max)
- Credit: Public acknowledgment in CHANGELOG (unless you prefer anonymity)
We use CVSS v3.1 scoring:
| Score | Severity | Response Time | Patch Timeline |
|---|---|---|---|
| 9.0-10.0 | Critical | < 24 hours | < 7 days |
| 7.0-8.9 | High | < 48 hours | < 14 days |
| 4.0-6.9 | Medium | < 7 days | < 30 days |
| 0.1-3.9 | Low | < 14 days | Next release |
- Always use HTTPS: Never transmit credentials over plain HTTP
- Rotate keys regularly: Change encryption keys every 90 days minimum
- Enable audit logging: Track all preference access and modifications
- Use strong passphrases: Minimum 16 characters, high entropy
- Isolate environments: Separate production, staging, development
// ✅ Good: Post-quantum encryption enabled
const injector = new PreferenceInjector({
enableEncryption: true,
encryptionKey: process.env.ENCRYPTION_KEY, // From secure vault
encryptionAlgorithm: 'ed448-kyber1024-blake3',
});
// ❌ Bad: Encryption disabled
const injector = new PreferenceInjector({
enableEncryption: false, // Never do this in production!
});- PII Encryption: Always encrypt personally identifiable information
- Credential Storage: Never store passwords in plain text
- API Keys: Use environment variables or secret management services
- Audit Trails: Enable audit logging for compliance (GDPR, SOC 2, etc.)
- Cryptography Status: Post-quantum primitives designed but not fully implemented
- Offline Mode: Local-first architecture planned but not complete
- WASM Sandbox: Untrusted code execution not yet sandboxed
- Formal Verification: SPARK Ada proofs not implemented
- Full post-quantum cryptography implementation
- WASM sandboxing for user-provided preference scripts
- Formal verification of critical security paths
- Hardware security module (HSM) integration
- Secure enclave support (Intel SGX, ARM TrustZone)
# Encryption
ENCRYPTION_ALGORITHM=ed448-kyber1024-blake3
ENCRYPTION_KEY_ROTATION_DAYS=90
# API Security
API_RATE_LIMIT=100 # requests per minute
API_REQUIRE_AUTH=true
API_CORS_ORIGIN=https://yourdomain.com
# Audit Logging
AUDIT_ENABLED=true
AUDIT_RETENTION_DAYS=365
AUDIT_LOG_LEVEL=info
# TLS/HTTPS
TLS_MIN_VERSION=1.3
TLS_CIPHER_SUITES=TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256All HTTP responses should include:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), microphone=(), camera=()
- Immediate containment: Disable affected systems
- Evidence preservation: Capture logs, memory dumps
- Notification: Contact security@example.com immediately
- User notification: Inform affected users within 72 hours (GDPR requirement)
- Post-mortem: Conduct root cause analysis
- Project Lead: @maintainer (Perimeter 1)
- Security Team: security@example.com
- Emergency: +1-555-SECURITY (24/7 on-call)
- ✅ GDPR: Data protection and privacy (EU)
- ✅ CCPA: California Consumer Privacy Act (US)
⚠️ SOC 2: In progress (expected Q2 2026)⚠️ ISO 27001: Planned for 2026
- NIST Cybersecurity Framework
- CIS Controls v8
- OWASP ASVS Level 2
- Date: 2025-12-17
- Auditor: Internal review (Claude Code assisted)
- Findings: 0 critical, 0 high, 4 medium (fixed), 2 low
- Status: All medium findings remediated
- Scheduled: 2026-Q1
- Type: Third-party penetration testing
- Scope: Full application security assessment
❌ No formal bug bounty program (under consideration)
- In Scope: API endpoints, authentication, encryption, data validation
- Out of Scope: Social engineering, physical attacks, DoS
- Rewards: $100 - $10,000 USD based on severity
We thank the following security researchers for responsible disclosure:
- No vulnerabilities reported yet
Last Updated: 2025-12-17 Policy Version: 2.1 Next Review: 2026-06-17