| Version | Supported | Security Audit |
|---|---|---|
| 1.1.x | ✅ | v1.1.0 Audit |
| 1.0.x | ✅ | Pending |
| 0.9.x | ❌ End of Life | N/A |
| < 0.9 | ❌ End of Life | N/A |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- Do NOT open a public GitHub issue for security vulnerabilities
- Send a detailed report to the maintainers via GitHub Security Advisories
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours of your report
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-72 hours
- High: 7 days
- Medium: 30 days
- Low: 90 days
The following are in scope for security reports:
- Cryptographic weaknesses (key exchange, encryption, hashing)
- Authentication/authorization bypasses
- Information disclosure vulnerabilities
- Denial of service attacks against the protocol
- Traffic analysis vulnerabilities that break privacy guarantees
- Memory safety issues (buffer overflows, use-after-free)
- Side-channel attacks on cryptographic operations
- Social engineering attacks
- Physical attacks
- Issues in dependencies (report to upstream)
- Issues requiring unlikely user interaction
We appreciate security researchers who help improve WRAITH Protocol:
- Credit in release notes (with permission)
- Addition to CONTRIBUTORS.md security section
- Potential bounty for critical vulnerabilities (case-by-case)
WRAITH Protocol is designed with security as a core principle:
- Cryptography: XChaCha20-Poly1305 AEAD, X25519 key exchange, BLAKE3 hashing
- Forward Secrecy: Double ratchet key derivation
- Traffic Analysis Resistance: Elligator2 encoding, padding, timing obfuscation
- Mutual Authentication: Noise_XX handshake pattern
- Memory Safety: Rust implementation with no unsafe code in crypto paths
For detailed security architecture, see docs/architecture/security-model.md.
WRAITH Protocol undergoes regular security audits:
- v1.1.0 Audit (2025-12-06): Full Report
- ✅ Zero dependency vulnerabilities (286 dependencies scanned)
- ✅ Zero code quality warnings (clippy -D warnings)
- ✅ 1,157 tests passing (100% pass rate)
- ✅ Comprehensive cryptographic validation
- ✅ Multi-layer rate limiting and DoS protection
- ✅ No information leakage in error messages
- Security Posture: EXCELLENT
- Frequency: Quarterly security audits
- Next Audit: March 2026
- Scope: Full codebase review + dependency audit + penetration testing