Skip to content

Security: slimbiggins007/upholdr

SECURITY.md

Security policy

Reporting a vulnerability

Please report security issues privately — via GitHub's private vulnerability reporting (the repository Security tab → "Report a vulnerability"). Please do not open public issues for security reports.

What Upholdr's audit trail does and does not guarantee

Upholdr's ledger is tamper-evident, not tamper-proof.

  • Detects: in-place edits, record deletion, and reordering of ledger records — via append-only SQLite triggers plus a SHA-256 hash chain over a single monotonic append sequence. upholdr verify recomputes the chain from genesis and reports the first divergence; tail truncation is caught by the sequence counter.
  • Does NOT protect against: an attacker with filesystem or process access can
    • delete or replace the entire database file;
    • drop the triggers and rewrite a fresh, internally-consistent forged chain — without record signing, the chain proves internal consistency, not authenticity;
    • edit the mutable ledger_seq counter to mask a tail truncation;
    • or, in a compromised Upholdr process, write false records before they are sealed.

The real defenses against a privileged attacker are record signing (HMAC / ed25519) and off-box export / external anchoring of the chain head. See docs/threat-model.md for the full model and the hardening roadmap.

Operate the ledger where the governed agent cannot write to it out-of-band, ship the chain head off-box, and treat a verify failure as an incident.

There aren't any published security advisories