| Version | Supported |
|---|---|
| 2.x | Yes |
| 1.x | Security fixes only |
| < 1.0 | No |
If you discover a security vulnerability in God Clause, please do not open a public issue.
Instead, report it privately:
- Email: Send details to security@god-clause.dev
- Subject:
[SECURITY] Brief description - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 5 business days
- Fix timeline: Depends on severity
- Critical (RCE, auth bypass, audit chain tampering): Patch within 72 hours
- High (data exposure, policy bypass): Patch within 1 week
- Medium (information disclosure, DoS): Patch within 2 weeks
- Low: Next scheduled release
The following are in scope for security reports:
- Policy evaluation bypass (rules not enforced correctly)
- Audit chain integrity violations (hash chain tampering)
- DSSE signature verification bypass
- HMAC signing weaknesses
- Authentication/authorization bypass in the REST API
- Injection vulnerabilities in contract parsing
- Denial of service via crafted contracts or inputs
- Vulnerabilities in dependencies (report upstream, but notify us)
- Issues requiring physical access to the server
- Social engineering attacks
- Misconfiguration of deployment (e.g., running without HMAC secret)
We follow coordinated disclosure:
- Reporter notifies us privately
- We confirm and develop a fix
- We release the fix and publish a security advisory
- Reporter may publish details 30 days after the fix is released
We credit security researchers in our release notes and CHANGELOG (unless they prefer anonymity).