This security policy applies to the public SDK and protocol repository only.

• For SDK vulnerabilities (client libraries, protocol specs), report here
• For node/server vulnerabilities, contact security@secure-fabric.io directly

This repository does not contain server implementation code.

If you discover a security vulnerability in SecureFabric SDKs or protocol specifications, please report it responsibly:

1. DO NOT open a public GitHub issue
2. Email us at security@secure-fabric.io
3. Use GitHub's private security advisory feature
4. Include detailed information:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fixes (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 5 business days
• Resolution: Coordinated with reporter
• Disclosure: Coordinated timing with reporter

• All SDKs communicate with SecureFabric nodes over TLS
• Bearer token authentication required
• No plaintext credential storage in examples
• Input validation on all SDK methods

• End-to-end encryption using ChaCha20-Poly1305 AEAD
• Ed25519 signature verification (when enabled on node)
• Replay protection via nonce management
• Message integrity via authenticated encryption

1. Credentials: Store tokens in environment variables or secure vaults, never in code
2. TLS: Always use HTTPS/TLS endpoints in production
3. Validation: Validate all inputs before sending messages
4. Updates: Keep SDKs updated to latest versions
5. Monitoring: Log and monitor API errors and authentication failures

• SDKs rely on node-side security controls
• No built-in rate limiting in client libraries
• Token refresh must be handled by application

Security updates will be announced via:

• GitHub Security Advisories
• Release notes
• Email notification to registered users

Thank you for helping keep SecureFabric secure!