DO NOT OPEN A PUBLIC ISSUE for security vulnerabilities.

The CSMP project takes security seriously. We appreciate responsible disclosure of security vulnerabilities.

1. Email: Send details to security@csmp.org
2. Encryption: Use our PGP key
   • Fingerprint: 9A3B 5C7D 8E1F 2A4B 6C8D 0E1F 2A3B 4C5D
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

The security policy covers:

• CSMP protocol specification
• Reference implementation libraries
• Official tooling (validators, test suites)

The security policy does NOT cover:

• Third-party implementations (please contact their maintainers)
• Example code in documentation
• Deprecated versions

We gratefully acknowledge security researchers who have helped improve CSMP:

(Reporters may choose to remain anonymous. Let us know if you'd like to be credited.)

CSMP is built with the following security assumptions:

1. Zero Trust in Network: All traffic is encrypted end-to-end.
2. Minimal Metadata Leakage: Routing information is minimized.
3. Perfect Forward Secrecy: Message keys are ephemeral.
4. Content Authenticity: All containers are signed.

If you believe any of these principles are violated in the design, please report it following the process above.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGabcdef... (truncated for brevity) -----END PGP PUBLIC KEY BLOCK-----

Full key available at: https://keys.openpgp.org/search?q=security%40csmp.org