Currently supported versions for security updates:
| Version | Supported |
|---|---|
| 0.9.12.x | ✅ |
| 0.9.11.x | ❌ |
| < 0.9.11 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please follow these steps:
-
DO NOT open a public issue
-
Email security@peacprotocol.org with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if available)
-
We will acknowledge receipt within 48 hours
-
We will investigate and provide updates within 7 days
-
We will coordinate disclosure timing with you
- EdDSA (Ed25519) signatures only
- JWS Compact Serialization
- Key rotation every 30 days
- Hardware security module support
- Strict JSON schema validation
- SSRF protection on all external calls
- Rate limiting with token buckets
- Request size limits enforced
- No secrets in code or commits
- Environment-based configuration
- Audit logging for security events
- Automated vulnerability scanning
Before submitting code:
- No hardcoded secrets or credentials
- All user input validated
- External URLs validated against SSRF
- Rate limiting considered
- Error messages don't leak sensitive info
- Dependencies audited (
pnpm audit) - Security tests written for new features
All crawler and verification endpoints implement SSRF guards:
- Private IP range blocking
- DNS rebinding protection
- Redirect limit enforcement
- Timeout controls
- Token bucket rate limiting
- Request size limits
- Computation timeouts
- Circuit breakers for external services
- No PII in logs
- Structured telemetry with privacy controls
- GDPR-compliant data handling
- Configurable retention policies
The PEAC Protocol aims to comply with:
- OWASP API Security Top 10
- NIST Cybersecurity Framework
- EU GDPR requirements
- California CCPA requirements
- Security issues: security@peacprotocol.org
- General inquiries: contact@peacprotocol.org