This policy covers vulnerability reporting for the repository.
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 3.0.x | ✅ |
| 2.x | ❌ |
| < 2.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Report vulnerabilities through GitHub Security Advisories or by emailing Kenneth Pernyer at kenneth@reflective.se.
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- The version of Converge you're using
- A description of the vulnerability
- Steps to reproduce the issue
- Any relevant logs or error messages
- Your assessment of the impact (CVSS score if possible)
- Acknowledgment: We will acknowledge your report within 48 hours
- Assessment: We will assess the vulnerability and determine its impact
- Patch Development: We will develop a fix and test it thoroughly
- Release: We will release the fix in a new version
- Disclosure: We will publicly disclose the vulnerability after the fix is available
unsafe_code = "forbid"across all crates- Dependency auditing via
cargo-deny(RUSTSEC advisories + license compliance) - Clippy pedantic lints enforced in CI
- Secrets handled via
zeroize(opt-insecurefeature onconverge-provider) - Ed25519 signed delegation tokens in
converge-policy
The current runtime and policy control-surface baseline is recorded in kb/Architecture/Audits/2026-04-11 Security Review.md.
That review is the source of truth for the latest closed findings and the expected fail-closed posture on authority, authentication, logging, and transport defaults.
Changes touching policy, runtime, auth, transport, or public control surfaces must pass:
just security-gateThe gate currently runs:
cargo check --workspace
cargo test -p converge-policy
cargo test -p converge-runtime --lib
cargo test -p converge-pack --test compile_fail
cargo test -p converge-core --test compile_fail --test truth_pipeline --test negative --test properties
cargo test -p converge-client --test messagesThis repository provides a secure development baseline and reference runtime patterns, but production compliance depends on deployment-specific controls.
Deployers are responsible for:
- infrastructure hardening and patching
- identity provider and access control configuration
- encryption key management and rotation
- retention, deletion, and privacy controls
- vendor review and subprocessor management
- legal/regulatory scoping for sensitive workloads
The project is designed to support enterprise security reviews, but this repository does not itself claim certification or regulatory compliance unless separately documented with evidence.
In particular, do not treat this repository alone as a declaration of:
- SOC 2 certification
- ISO 27001 certification
- HIPAA compliance
- PCI DSS compliance
- GDPR compliance
When using Converge in production:
- Keep your dependencies updated
- Use the latest stable version
- Enable the
securefeature onconverge-providerfor secret zeroization - Follow the principle of least privilege
- Monitor your systems for unusual activity
- Use secure communication channels (TLS)
For security-related questions or concerns:
Kenneth Pernyer
- Email: kenneth@reflective.se
- PGP Key: Available upon request
We ask security researchers to:
- Give us reasonable time to respond to your report before making it public
- Avoid exploiting the vulnerability in production systems
- Avoid violating privacy laws or disrupting services
- Provide sufficient detail to reproduce the issue
We commit to:
- Responding promptly to security reports
- Providing regular updates on our progress
- Crediting reporters in our security advisories (unless anonymous)
- Releasing fixes in a timely manner