OpenHush ships software, hardware, and a card format that may end up in children's bedrooms. We take security seriously and we welcome reports from the community.

If you believe you have found a security issue in any OpenHush project, please do not open a public issue.

Report it privately to: TODO: add contact

When reporting, please include:

• The repository and version (or commit) affected.
• A description of the issue and its impact.
• Steps to reproduce, or a proof of concept.
• Any suggested mitigation, if you have one.

• Acknowledgement of your report within 5 working days.
• A first assessment within 15 working days.
• Coordinated disclosure: we will agree a timeline with you before any public write-up.
• Credit in the release notes, unless you prefer to remain anonymous.

In scope:

• hush-firmware — device firmware
• hush-hardware — schematics and reference designs
• whispers-spec — the Whisper card format
• hush-companion — the companion app
• Anything else under the OpenHush organisation

Out of scope:

• Vulnerabilities in third-party dependencies — please report them upstream and let us know once they're public so we can roll the fix.
• Theoretical attacks without a working PoC against a current release.
• Social-engineering attacks against maintainers.

We will not pursue good-faith security research that follows this policy. Please:

• Avoid privacy violations and degradation of service.
• Only test against devices and accounts you own or have explicit permission to access.
• Do not exfiltrate user data beyond what's strictly necessary to demonstrate the issue.

OpenHush is open hardware. Anyone with physical access to a device can in principle read its storage, dump firmware, or replace components. We treat physical attacks against an unattended device as a known limitation rather than a vulnerability, unless they bypass a control we explicitly claim to provide.