Skip to content

security: third-party audit + SECURITY.md disclosure policy #170

Description

@ch4r10t33r

Problem

`docs/SECURITY.md` today is a threat-model doc (StrictNoSign rationale, wire caps). It is not a GitHub-recognised SECURITY.md and does not tell external researchers where or how to report a vulnerability privately.

There also has been no third-party security audit of the QUIC + libp2p TLS path, the gossipsub runtime, or the wire-framing parsers — only the in-tree audit issues #119#127 and the `zig build fuzz` harness around `src/wire_boundaries.zig`.

Before any public announcement that positions this as Eth2-grade networking we want:

  1. A real `SECURITY.md` at the repo root (not under `docs/`) with:
    • Supported versions table
    • Private disclosure channel (security@blockblaz, GitHub private advisory, or a PGP-signed mailbox)
    • SLA window (acknowledge ≤ 72 h, fix or mitigation ≤ 30 d, etc.)
    • Scope (what's in-tree vs. embedder responsibility — clarifies that wire caps live here but UDP listen-socket ownership doesn't)
  2. A third-party audit scoped to:
    • Wire parsers (`varint`, `multistream`, gossipsub RPC, req/resp framing, snappy)
    • TLS cert verification (`security.libp2p_tls` + the `zquic_tls` vendored handshake)
    • Gossipsub mesh state machine + StrictNoSign assumptions
    • Resource exhaustion paths (work depends on feat: Resource Manager (rcmgr) scope-based limits #169 rcmgr)
  3. Long fuzz runs in CI on a schedule (we have the smoke tests today; not the days-long sessions).

Out of scope

Threat-model documentation (already in `docs/SECURITY.md`); keep that.

Acceptance

  • Root `SECURITY.md` with disclosure policy + supported versions; `docs/SECURITY.md` cross-links to it.
  • Public audit report (scope letter, then report) attached to a tracked release once available.
  • Nightly long-running fuzz run in `.github/workflows/` separate from the existing smoke step.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions