Thank you for taking the time to responsibly disclose any problems you find.
Do not file public issues as they are open for everyone to see!
All security vulnerabilities in xor-cipher-core should be reported by email
to security@xor-cipher.org.
Your report will be acknowledged within 24 hours, and you will receive a more
detailed response within 48 hours indicating the next steps in handling your report.
You can encrypt your report using our public key:
FF8BC4BD3679FEC28A1CF79ED063CCAB4A83E040.
This key is also available on MIT's Key Server
and reproduced below.
After the initial reply to your report, the core team will try to keep you informed of the progress being made towards a fix and official announcement. These updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours.
xor-cipher-core has a 5-step disclosure process:
-
The security report is received and is assigned a primary handler. This person will coordinate the fix and release process.
-
The problem is confirmed and a list of all affected versions is determined.
-
Code is audited to find any potential similar problems.
-
Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement.
-
On the embargo date, the changes are pushed to the public repository and new builds are deployed.
This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the issue in as timely a manner as possible, however it is important that we follow the release process above to ensure that the disclosure is handled in a consistent manner.
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBGWlKxoBEADQyivM64TFCWYBjcOT0RusKqNIU95DYWNmKD/FQhfh+qtRMDTj
lWUSMepk1GNkYIf2SmfEwwZYXk0IURyQOwFg49A/CiYVyZWdZGSa3K2a358D8pnw
d42IwEnhwdrTf2EM+KzpfnLtofS9IGP66wmBcfHiDGVnpciwfQELI3UXu1e7parX
CYaTV+vpft7VzfQDLTQmkAt363YYY1/6x5NxGooSyVKr81sCZmlH3Ww5aA5sI6kZ
1WfFm6vseFZebkoNdQESDB/poRT60VCBmme2UorpmrikhtHimBbt6DgAVKnwjqvb
eRnAz4CRkwXao2uQMzeaCCiG60O4QRpKKAptu9Njq8CCHM6V0SAYcPaQJgA6yJMR
1XfGivsrNAKODHmcoid7azMn92KF4mWh4FF4Mk995RBzfTsF1FPNEyj5ofHRc05y
3UWsgM1hgiZuBnz5eN3kaXfX87baHvaXrKUzIlRXUK/R5ixW+BLVZmIZNWn3Bwbq
S9HnnQPDi06EYFuQEIYTILOvbDvIub+q8nb/XeduLQVVeh0yNsbo6qSq0oUNstQE
N6f+Cx2rgS3UrJYKI45Q//3C95MzcouV4WXfFvmmdMsfxeQw+Rb4RWWnc1tmODf4
IDM0HRfzn+O7+NLBBEnCqbMv/9NvC5uxewihduDPmb51W2DIzXLXZScllQARAQAB
tC9YT1IgQ2lwaGVyIChzZWN1cml0eSkgPHNlY3VyaXR5QHhvci1jaXBoZXIub3Jn
PokCTgQTAQoAOBYhBP+LxL02ef7Cihz3ntBjzKtKg+BABQJlpSsaAhsDBQsJCAcC
BhUKCQgLAgQWAgMBAh4BAheAAAoJENBjzKtKg+BAzOoP/R1VjjvZi7E4W+ZYlZI5
MfEdnim9r1kKwaahvVewbF4oL008DJkgFQKfZCaVWISOM4vEBmnb26Uc4+rAWVBu
6nzwLOyRdUepuWizrkF7tciIFTpIXqZVYMkHcex3wDdWtJAygoYvLYVES81jWpln
sHSvSAmceyDN+lhDjzO+ndTlUowukBAOVP9u5ZWjJBfZneTtUgDF0NoIQOS0THvp
2kZYU37MUTBb/Oique3GMA29ZRFdLbTixhKOJ4F5xqu804+MivFB8HGuXZbfDNif
NzqTnhIUV+YrYfuGRQoubtk1fa3ihS6u7pTJvpgwbcZZbbRepn9XnC5IUYN+UTO/
jwyKPzMGZhmhG6DehhuLy2t8k0UKGHUIVfCDcVUYMHIXyTc7kIioskQEftkakdcq
yRphwifKzUW7EI1+/OPOuMltXJiKXtpXVYW93NCmZGMq8Hdl+FeYZ+KpAcDlCzNP
G5a/DL+T6ZcYr4S2KbqovFFEryinOr0vsLmY48Q6W64Wivc/Hngbb2jScdS5JoEm
Rzs5SXI3fmAKdLpJacqpP0Sn3QtUIEIDn44ULOoQrJRnRYJ65RHZT0QPhWSGtunP
MNcNiND64UYlwE2Ev0Giuq1TxzYfJLa2N2ThZt+oolnmj2VPdMh61/UxmmcDBwjC
sTHvECzkD1qTCMtdNPe0yAMluQINBGWlKxoBEADI3e2QW7ahm71IKWjept92ATp7
nnjEb6zhft+SnlHf2rVcg/5lw6T7C36t9HGPMv03BRPjZ1xI5TQIar139aZeb2/M
udwqvmrsVUALxgrmtS5qye3ue0TlnagNw4dSQe+X0L6mI7ACZO8xOQwLHO76Fe01
9S52+iwIdg7p8kQCv5hOMk+3Gt6GNTezzsraf0RrDmbxSVIViQsYp0SGweeHdg5y
CHM4XVQMIpIpXz3rkVZyUX3HfriQnSTqIQ4X9WBKJdL3zkf9W1qblyH0NcMC1Vh7
o9VCcTM1vQB0e/BsEhqbfnB6kLpQ2W87oCKzmSa+F0aMvxIzj60ojIm/u5S0l4em
pMp8TmHtOF7oBrSjK2D1HOKTFSZWC1i8HDRPpMpZgCyTya7gijF0oCerwK2/tM6a
z5OkAhwVgMikUkzxJUXc1fpfHtdprn/+H6vhbkDWd8IjpCAIKN7x7229vsl4KdS/
e3pcOPSK0IlYjWTnKpBf8pSog/HhpvdMrGYVHZeR3RVX80HKXuM+2DNAwQ8EgRs7
k7kFUmH3UkDZEjNja486OVnIhzb3/1sJycZGaF3FQ7MOTcA59M4F+9MUzKeW6bLE
kej05p2wIirtX5KrSdW5hGop+VhMLnmAufTf8+tpfQRJaTRjvgdWRRfo+hZLZ5cP
+ToRjM7TPS0ZOZ6u2wARAQABiQI2BBgBCgAgFiEE/4vEvTZ5/sKKHPee0GPMq0qD
4EAFAmWlKxoCGwwACgkQ0GPMq0qD4EAvuA/+M//zhmrYYTx4AzJsUhxskOPVvG5M
n1iLfR7mZDQ7W/X0/MGSs77U/dAdtNuykKWsB7vyiN6xApGk+VO/Mg7kGfLtT8Kq
smXPfJPsUHjIm8CovYpucHTQ9G9p8djFfdPAEH2jL2/N0ssI1rJi23nimelSkWYx
T6eMeDqK9CuaR2d1QcKql8ZIISRMLuEiZpjraPqNKO6nOy63WVm6af1XaEggCVM0
iJtzfDjA8ZtgxCeT4sHbQDedsr9/bxMmcbtDCAoxnUQKwyR0PQMwq5x47so4JZku
iQlJbbAQS4YrG5N7DgdA72CSdaiZb/B7mp5R7MhR+MeSD48+g1iHYVUG//Yzdq2T
z7csex53m14M4sxXsEXr61zoiGP/I2ZlXMjIhjp9XgNNdesRAw7UZuQId1DE+vmw
N4i0z8B3txxSD5ZYxjcjEYBCpCF7rD1z5szGi/cALGiJn+/c3fq29rcvkTcscv42
QDb0m8Ld8vJpqa91+rBVKky6c6v+u7m9rbLUp+Wh5x6hN33xDt6mXy3fCMvImOtV
q9IU1yf/iNlI4YNbee+C88d3TOw5oDJvc2cw7lrGURGe+3qG0dBFdSieqBatwUJ6
3XpYL1PHw3ja1lnWPaBqsdxf5O69tdqPXPPhoi4xLtpqZ5Jl5CGGG3NKOqMk59gR
c2qRjtnlvsXol+Y=
=uSs5
-----END PGP PUBLIC KEY BLOCK-----
This Security Policy is adapted from Rust's Security Policy.