ClearKey is security-critical infrastructure. We take vulnerabilities seriously.
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please report security issues via email:
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Signature verification bypasses
- Hash collision attacks
- Timing attacks on verification
- Memory safety issues
- Determinism violations that could enable attacks
- Denial of service via malformed input (handled by error returns)
- Issues requiring local file system access
- Theoretical attacks without practical exploitation
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix timeline: Depends on severity
- Critical: 24-72 hours
- High: 1-2 weeks
- Medium: Next release cycle
- Low: Best effort
We follow coordinated disclosure:
- Reporter notifies us privately
- We assess and develop a fix
- We notify the reporter of the fix
- We release the fix
- After 90 days (or fix release), public disclosure is permitted
ClearKey follows these principles:
- Offline verification - No network calls during verification
- No trust in input - All inputs are treated as potentially malicious
- Fail closed - Any ambiguity results in verification failure
- Deterministic - Same inputs always produce same outputs
- Minimal dependencies - Fewer dependencies = smaller attack surface
We thank the security research community for helping keep ClearKey secure.
This security policy is subject to change. Check the repository for the latest version.