If you discover a security vulnerability in SecureFabric Core, please report it responsibly by emailing security@nodecube.io. Do not publicly disclose the vulnerability until we have had a chance to address it.

When reporting a vulnerability, please include:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact
• Any known workarounds

We aim to respond to security reports within 48 hours and will work with you to understand and resolve the issue.

SecureFabric Core implements the following security measures:

• Message Encryption: ChaCha20-Poly1305 AEAD cipher for message confidentiality and integrity
• Signatures: Ed25519 signature verification on message ingress
• Key Management: Secure key storage and handling with zeroization
• Nonce/Replay Protection: 24-byte nonces with monotonic counters and replay cache

• TLS/mTLS: Rustls-based TLS by default
• Certificate Verification: Mutual TLS support with certificate pinning
• Authentication: Bearer token authentication with constant-time comparison

• Write-Ahead Log (WAL): Encrypted message log with durability guarantees
• State Verification: Cryptographic checksums for state validation
• Nonce Tracking: Per-key monotonic counter enforcement

• Code Signing: Releases are signed using Cosign with Sigstore keyless signing
• Artifact Verification: SHA256 checksums and signatures provided for all releases
• Software Bill of Materials: SBOM included in each release for supply chain transparency

We use cargo-audit and cargo-deny to monitor and enforce security policies:

• Vulnerable dependencies are scanned and blocked
• Dependency licenses are verified for compatibility
• Transitive dependency usage is tracked and limited

Run security checks locally:

cargo audit
cargo deny check

All changes are reviewed for security implications before merging, including:

• Cryptographic correctness
• Boundary conditions and error handling
• Resource management and denial-of-service prevention
• Safe use of unsafe code blocks

We recommend keeping SecureFabric Core updated to the latest stable release. Security patches will be released as soon as they are available.

We practice responsible disclosure and ask that you:

1. Report vulnerabilities privately before public disclosure
2. Give us reasonable time to develop and release fixes (typically 30-90 days)
3. Avoid public discussion of the vulnerability during the embargo period
4. Work with us to verify the fix before publication

• Sigstore Documentation - Keyless signing and verification
• OWASP Top 10 - Common security risks
• Rust Security Advisory - Vulnerability database