| Version | Supported |
|---|---|
| 0.3.x | ✅ |
| < 0.3 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the following information in your report:
- Type of vulnerability (e.g., signature bypass, hash collision, chain manipulation)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment (what an attacker could achieve)
Spine's security relies on:
- Ed25519 signatures: Each WAL entry is signed at the source
- BLAKE3 hash chains: Entries are cryptographically linked
- Client-side verification: The CLI verifies without trusting any server
- Signature forgery or bypass
- Hash chain manipulation without detection
- Timestamp manipulation attacks
- Key extraction from WAL files
- Denial of service through malformed WAL files
- Attacks requiring physical access to the signing machine
- Social engineering
- Attacks on the optional Spine server (report to separate channel)
We prefer all communications to be in English.
We follow coordinated disclosure:
- Reporter sends vulnerability details
- We acknowledge within 48 hours
- We investigate and develop a fix
- We coordinate disclosure timing with reporter
- We release fix and publish advisory
- Reporter may publish details after fix is released
We maintain a security acknowledgments section in our release notes for researchers who responsibly disclose vulnerabilities.