Do not open public issues for security vulnerabilities.
Use GitHub Security Advisories private reporting:
- Open the repository Security tab.
- Select Report a vulnerability.
- Submit a private advisory with details.
- clear vulnerability description
- affected GBV stage/component
- reproducible steps
- expected attacker model/capability
- observed impact
- optional mitigation proposal
Highest priority findings include:
- nonce-binding bypasses
- semantic invariant bypasses
- verifier authority/blindness violations
- receipt/commitment integrity flaws
- extension collection flow bypasses
- acknowledgement target: 72 hours
- triage and reproduction
- coordinated remediation
- optional attribution upon fix (on request)
Good-faith testing and responsible private disclosure are welcome.
This repository is a local-first protocol reference implementation. Reports should prioritize protocol correctness and verification integrity over hosted production hardening concerns.