Currently, the main branch is the only version receiving security updates.
| Version | Supported |
|---|---|
| main | ✅ |
| < 1.0 | ❌ |
We take the security of this aerospace suite very seriously. This policy covers:
- RF & DSP Pipelines (Buffer overflows, IQ validation, memory management)
- Telemetry Parsers (Deframer limits, malformed CSP/AX.25 packet handling)
- Cryptography & PKI (ECDSA SECP256R1 keys, XTEA in CTR mode, signature verification)
We recommend reporting vulnerabilities privately via cubedynamics.10@gmail.com.
We aim to acknowledge reports within 72 hours and provide a remediation plan or patch as soon as possible. Please do not open a public issue for critical security vulnerabilities, especially those related to cryptographic bypassing or ground-station network compromises.
Contributors must ensure that:
- No raw IQ captures containing sensitive or live API keys are ever committed.
- Debug logs are kept high-level; keys, IVs, and decrypted sensitive telemetry must never be printed to stdout.
- All satellite credentials and federated node keys must be managed via GitHub Actions secrets in CI.