Do not open public issues for security vulnerabilities.

Email: security@haldir.ai

We aim to respond within 48 hours and provide a fix within 7 days for critical issues.

• Cryptographic vulnerabilities in the signing/verification flow
• Bypass of integrity checks or revocation enforcement
• Path traversal, symlink attacks, or other filesystem safety issues
• Denial of service via malformed .vault/ envelopes
• Signature verification bypass or forgery
• Revocation list tampering or rollback attacks

• Issues requiring physical access to signing keys
• Theoretical attacks requiring >2^128 operations
• Attacks on dependencies (report to the dependency maintainers)
• Social engineering attacks

1. Report received → Acknowledgment within 48 hours
2. Fix developed → Coordinated disclosure date agreed
3. CVE assigned (if applicable)
4. Public disclosure after fix is released

When using Haldir:

• Protect signing keys. Use hardware security modules (HSMs) or platform secret managers.
• Use Sigstore keyless signing (when available) to eliminate long-term key storage.
• Verify skills before installation. Never skip verification in production.
• Keep revocation lists fresh. Fetch updated lists regularly.
• Monitor for revocations. Subscribe to security announcements.

None yet — this is a new project.

• Security issues: security@haldir.ai
• General questions: Open an issue in the relevant repo