You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
`docs/SECURITY.md` today is a threat-model doc (StrictNoSign rationale, wire caps). It is not a GitHub-recognised SECURITY.md and does not tell external researchers where or how to report a vulnerability privately.
There also has been no third-party security audit of the QUIC + libp2p TLS path, the gossipsub runtime, or the wire-framing parsers — only the in-tree audit issues #119–#127 and the `zig build fuzz` harness around `src/wire_boundaries.zig`.
Before any public announcement that positions this as Eth2-grade networking we want:
A real `SECURITY.md` at the repo root (not under `docs/`) with:
Supported versions table
Private disclosure channel (security@blockblaz, GitHub private advisory, or a PGP-signed mailbox)
Problem
`docs/SECURITY.md` today is a threat-model doc (StrictNoSign rationale, wire caps). It is not a GitHub-recognised SECURITY.md and does not tell external researchers where or how to report a vulnerability privately.
There also has been no third-party security audit of the QUIC + libp2p TLS path, the gossipsub runtime, or the wire-framing parsers — only the in-tree audit issues #119–#127 and the `zig build fuzz` harness around `src/wire_boundaries.zig`.
Before any public announcement that positions this as Eth2-grade networking we want:
Out of scope
Threat-model documentation (already in `docs/SECURITY.md`); keep that.
Acceptance