The DMSC (Dunimd Middleware Service) project takes security seriously. This document outlines our security policy, including supported versions, how to report vulnerabilities, and our disclosure process.

The following versions of DMSC are currently supported with security updates:

We provide security updates for the latest minor version in each major version series. Users are encouraged to upgrade to the latest version to receive security patches.

If you discover a security vulnerability in DMSC, please report it to us as soon as possible. We appreciate your efforts to responsibly disclose your findings.

Please do not report security vulnerabilities through public GitHub issues or Gitee issues.

Instead, please report security vulnerabilities via:

📧 Email: dunimd@outlook.com

For general questions and non-security issues, please use:

• Gitee Issues (Primary): https://gitee.com/dunimd/dmsc/issues
• GitHub Issues (Mirror): https://github.com/mf2023/DMSC/issues

Please include the following information in your report:

• Description: A clear and concise description of the vulnerability
• Impact: What kind of vulnerability is it and what impact could it have
• Affected Versions: Which versions of DMSC are affected
• Steps to Reproduce: Detailed steps to reproduce the vulnerability
• Proof of Concept: If possible, include a proof-of-concept or exploit code
• Suggested Fix: If you have suggestions for how to fix the vulnerability
• Your Contact Information: How we can reach you for clarifications (optional)

When you submit a security report, you can expect the following:

1. Acknowledgment: We will acknowledge receipt of your report within 48 hours
2. Initial Assessment: We will provide an initial assessment within 5 business days
3. Investigation: We will investigate the vulnerability and determine its impact
4. Fix Development: If confirmed, we will work on a fix and may reach out for additional information
5. Disclosure: We will coordinate with you on the disclosure timeline

Our target response times are:

DMSC includes several cryptographic implementations:

• Kyber: Key Encapsulation Mechanism (KEM) based on Module-LWE
• Dilithium: Digital signature algorithm
• Falcon: Compact digital signature algorithm

These implementations use the oqs crate, which provides Rust bindings to liboqs (Open Quantum Safe).

• SM2: Elliptic curve public key cryptography
• SM3: Cryptographic hash function
• SM4: Block cipher algorithm

These implementations use the sm-crypto crate.

• All cryptographic operations should be performed using the provided APIs
• Do not implement custom cryptographic algorithms
• Keep cryptographic libraries updated to the latest versions
• Use appropriate key sizes and security parameters

• Always use TLS (WSS) for production WebSocket connections
• Validate server certificates
• Implement proper authentication and authorization

• Use TLS for all gRPC connections in production
• Implement mutual TLS (mTLS) for service-to-service communication when appropriate

• Enable TLS/HTTPS in production environments
• Use proper CORS configuration
• Implement rate limiting to prevent abuse

• Use strong authentication mechanisms (JWT, OAuth 2.0)
• Implement proper session management
• Use role-based access control (RBAC)
• Regularly rotate secrets and API keys
• Store credentials securely (use the secrecy crate for sensitive data)

• Encrypt sensitive data at rest
• Use secure random number generation for tokens and IDs
• Implement proper input validation
• Sanitize data to prevent injection attacks

When using DMSC in your applications:

Regularly update DMSC and its dependencies to receive security patches:

cargo update
cargo audit  # Use cargo-audit to check for known vulnerabilities

Always use the latest stable version of DMSC to ensure you have the latest security fixes.

Build DMSC with security features enabled:

cargo build --release --features "protocol,auth"

Review and configure security-related settings:

• TLS configuration
• Authentication settings
• Rate limiting parameters
• CORS policies

Enable security logging and monitoring:

• Log authentication attempts
• Monitor for unusual activity
• Set up alerts for security events

Follow secure deployment practices:

• Use container security best practices
• Implement network segmentation
• Regular security audits
• Penetration testing

1. Kafka on Windows: The Kafka backend on Windows requires manual build configuration. Ensure proper security settings when building librdkafka.

2. etcd Client: Requires protoc for compilation. Ensure protoc is from a trusted source.

3. Post-Quantum Cryptography: Requires liboqs to be installed on the system. Ensure liboqs is properly secured.

• Review the deployment guide for production security recommendations
• Implement proper network security (firewalls, VPCs)
• Use secrets management systems for credentials
• Enable audit logging

Security updates will be announced through:

• GitHub Security Advisories
• GitHub Releases (with security fix notes)
• CHANGELOG.md (with security-related changes marked)

• We will acknowledge receipt of vulnerability reports within 48 hours
• We will provide regular updates on our progress
• We will credit researchers who responsibly disclose vulnerabilities (unless they prefer to remain anonymous)
• We will not take legal action against researchers who follow this policy

1. Day 0: Vulnerability reported
2. Day 1-2: Acknowledgment and initial assessment
3. Day 3-14: Investigation and fix development
4. Day 15-30: Testing and validation
5. Day 30+: Coordinated disclosure

We aim to disclose vulnerabilities within 90 days of the initial report, or sooner if a fix is available.

We will publicly disclose vulnerabilities after:

• A fix has been developed and tested
• Affected users have had reasonable time to update
• The vulnerability has been assigned a CVE identifier (if applicable)

The following environment variables affect security:

Review security-related configuration options in:

• DMSCAuthConfig - Authentication settings
• DMSCGatewayConfig - Gateway security settings
• DMSCWSClientConfig - WebSocket security settings

We welcome third-party security audits. If you are conducting a security audit of DMSC:

1. Please follow responsible disclosure practices
2. Contact us in advance if you plan to publish findings
3. We appreciate receiving a copy of the audit report

• OWASP Top 10
• Rust Security Guidelines
• Cargo Audit
• Open Quantum Safe

For security-related inquiries:

• Email: dunimd@outlook.com
• GPG Key: [Available upon request]

For general questions and non-security issues, please use:

• Gitee Issues (Primary): https://gitee.com/dunimd/dmsc/issues
• GitHub Issues (Mirror): https://github.com/mf2023/DMSC/issues
• GitHub Discussions: https://github.com/mf2023/DMSC/discussions

We thank the following security researchers who have responsibly disclosed vulnerabilities:

This list will be updated as vulnerabilities are reported and fixed.

Last Updated: 2025-01-31

Version: 1.0