Please DO NOT open a public GitHub issue for security vulnerabilities.

Instead, report vulnerabilities privately by emailing:

📧 ivan.kokalovic@protonmail.com

Include as much of the following as possible:

• Description of the vulnerability
• Steps to reproduce
• Affected version(s)
• Potential impact
• Suggested fix (if any)

We will keep you informed of progress throughout the process.

• Backend API (authentication, authorization, input validation, injection)
• SDK clients (data integrity, transport security)
• Mesh consensus and Ed25519 signing (cryptographic weaknesses, replay attacks)
• Dependency vulnerabilities (outdated or compromised transitive dependencies)

• Self-hosted frontend cosmetic issues (UI glitches, styling inconsistencies)
• Documentation typos

We follow a coordinated disclosure model:

• Reporters are asked to keep vulnerability details confidential until a fix is released.
• We provide a 90-day disclosure window from the initial report before public disclosure.
• A CVE will be requested for critical issues to ensure broad visibility and traceability.

• Run behind a reverse proxy (e.g., Nginx, Caddy, Traefik) — do not expose the backend directly to the internet.
• Use TLS for all connections to protect data in transit.
• Restrict access to /metrics — monitoring endpoints should not be publicly reachable.
• Rotate API keys regularly and revoke unused credentials.
• Keep Orekit data updated to ensure accurate time reference computations.

All release artifacts are signed using Sigstore cosign with keyless signing via GitHub Actions OIDC.

# Install cosign
# https://docs.sigstore.dev/system_config/installation/

# Download the artifact, signature, and certificate
RELEASE="v2.2.0"
curl -LO "https://github.com/koke1997/timenow/releases/download/${RELEASE}/timenow-cli-${RELEASE}.tar.gz"
curl -LO "https://github.com/koke1997/timenow/releases/download/${RELEASE}/timenow-cli-${RELEASE}.tar.gz.sig"
curl -LO "https://github.com/koke1997/timenow/releases/download/${RELEASE}/timenow-cli-${RELEASE}.tar.gz.cert"

# Verify
cosign verify-blob timenow-cli-${RELEASE}.tar.gz \
  --signature timenow-cli-${RELEASE}.tar.gz.sig \
  --certificate timenow-cli-${RELEASE}.tar.gz.cert \
  --certificate-identity-regexp "https://github.com/koke1997/timenow" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

Each release includes a CycloneDX SBOM (timenow-sbom-vX.Y.Z.cdx.json) attached to the GitHub release. This lists all dependencies and their versions for supply chain verification.

• Ed25519 key generation depends on system entropy. On systems with poor entropy sources (e.g., early-boot VMs, containers without /dev/urandom seeding), key quality may be degraded.
• Mesh consensus trusts GPS input. GPS signals are spoofable; in high-security environments, consider supplementary time sources or signal authentication.
• No authentication by default. The backend API ships without authentication enabled. Deployers must configure authentication before exposing the service to untrusted networks.