Skip to content

Security: mitander/kapsel

Security

SECURITY.md

Security policy

Status: draft.

Owns: Security reporting and the boundary for security-sensitive claims.

Does not own: The threat model, proof contracts, operational assurance, or release status.

Kapsel is pre-release and has no supported production version. Do not use the current repository for consequential production actions.

Reporting a vulnerability

Do not open a public issue for a suspected vulnerability involving package parsing, signature or receipt verification, trust evaluation, key handling, storage recovery, profile linkage, or disclosure of sensitive material. Report it privately through GitHub Security Advisories. Include the affected revision, reproduction steps, impact, and whether disclosure is time-sensitive.

No response-time or remediation SLA is promised before production assurance work in KAP-0022.

Security boundary

The current security model is defined by:

A valid signature authenticates bytes under a key. External policy decides whether that key has authority. Reports must preserve that distinction.

Legacy code

The active implementation is still the pre-pivot webhook alpha while KAP-0018 proceeds. It does not implement the current Kapsel V1 security contract. Historical behavior is not a supported security guarantee.

There aren't any published security advisories