WaveOS is an experimental simulator and research prototype. It is not intended for production, safety-critical, or adversarial deployments.
There are currently no versions with production security guarantees.
The active branch receives best-effort fixes for simulator/runtime issues, but the project should be treated as experimental software.
There is not yet a private security reporting channel configured for this repository.
- If the issue does not require sharing secrets or private third-party data, open an issue with clear reproduction steps, affected files, commands, and artifact paths.
- If the issue would require posting secrets, credentials, or host-compromise details, do not post that material publicly. Sanitize the report or wait until a private reporting channel is added.
Examples of relevant issues:
- capability bypasses in WaveIL execution
- handle isolation failures
- filesystem scope escapes
- registry-generation drift that creates unintended privileged behavior
- denial-of-service crashes from crafted packages or input streams
Examples that are not a good fit for a security report here:
- hardware manufacturing speculation
- risks caused by deploying this research prototype in production despite the repo warning not to
- issues that depend on publishing secrets inside a public issue
Security work in this repo is about keeping the simulator and control-plane boundaries coherent, not about claiming hardening for production use.