We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

Do not open a public issue for security vulnerabilities.

Instead, please send a detailed report to the maintainers privately:

1. Email: Send to the maintainers listed in Cargo.toml
2. Codeberg: Use the private security advisory feature if available

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Initial response: Within 48 hours
• Status update: Within 7 days
• Fix timeline: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: Next release

• We will acknowledge your report promptly
• We will keep you informed of our progress
• We will credit you (unless you prefer anonymity) when we publish the fix
• We ask that you give us reasonable time to fix the issue before public disclosure

When using ferripfs:

1. API Security: The HTTP API binds to localhost by default. Do not expose it to untrusted networks without authentication.

2. Private Keys: Your node's private key is stored in ~/.ipfs/config. Protect this file (permissions should be 0600).

3. Remote Pinning: API keys for remote pinning services are stored in config. Treat your config file as sensitive.

4. Content: IPFS is content-addressed, not source-authenticated. Verify content through out-of-band means if authenticity matters.

We monitor dependencies for known vulnerabilities using cargo audit. Run it yourself with:

cargo install cargo-audit
cargo audit