Loading Vulnerability Disclosure Policy...
Security Beginner 5 min read

Vulnerability Disclosure

How to responsibly report security vulnerabilities in Forge EC. We appreciate the security community's help in keeping our users safe.

Overview

Forge EC takes security seriously. We appreciate the security community's efforts to responsibly disclose vulnerabilities and help us maintain the highest security standards for our cryptographic library.

Security First:

We are committed to addressing security vulnerabilities promptly and transparently. Your responsible disclosure helps protect all Forge EC users.

Scope

This vulnerability disclosure policy covers security issues in the Forge EC library and its official documentation and examples.

In Scope

  • Cryptographic vulnerabilities: Implementation flaws in cryptographic algorithms
  • Side-channel attacks: Timing attacks, cache attacks, power analysis vulnerabilities
  • Memory safety issues: Buffer overflows, use-after-free, memory leaks with security implications
  • API security flaws: Insecure defaults, dangerous API designs
  • Dependency vulnerabilities: Security issues in critical dependencies
  • Documentation security issues: Misleading security guidance or insecure examples

Out of Scope

  • Issues in third-party applications using Forge EC
  • Theoretical attacks without practical exploitation
  • Issues requiring physical access to the target system
  • Social engineering attacks
  • Denial of service attacks without security implications

Reporting Process

Please follow these steps to report a security vulnerability:

Do NOT create public GitHub issues for security vulnerabilities!

Please use our private security reporting channels to avoid exposing users to risk.

Step 1: Prepare Your Report

Include the following information in your vulnerability report:

  • Vulnerability description: Clear explanation of the security issue
  • Affected versions: Which versions of Forge EC are affected
  • Impact assessment: Potential security impact and attack scenarios
  • Proof of concept: Code or steps to reproduce the vulnerability
  • Suggested fix: If you have ideas for remediation
  • Your contact information: For follow-up questions

Step 2: Submit Your Report

Send your vulnerability report to:

Security Contact 
Email: security@forge-ec.dev
Subject: [SECURITY] Vulnerability Report - [Brief Description]

Alternative: GitHub Security Advisory
https://github.com/tanm-sys/forge-ec/security/advisories/new

Response Timeline

We are committed to responding to security reports promptly:

1

Initial Response

Within 24 hours: Acknowledgment of your report

2

Assessment

Within 72 hours: Initial assessment and severity classification

3

Resolution

Critical: 7 days, High: 30 days, Medium: 90 days

4

Disclosure

After fix: Coordinated public disclosure

Disclosure Guidelines

Please follow these guidelines when reporting security vulnerabilities:

Responsible Disclosure Principles

  • Private reporting: Report vulnerabilities privately before public disclosure
  • Reasonable time: Allow reasonable time for fixes before public disclosure
  • No exploitation: Do not exploit vulnerabilities beyond proof-of-concept
  • No data access: Do not access or modify user data
  • Coordinated disclosure: Work with us on disclosure timing

What NOT to Do

Prohibited Activities:
  • Creating public GitHub issues for security vulnerabilities
  • Posting vulnerabilities on social media or forums
  • Attempting to access production systems or user data
  • Performing denial of service attacks
  • Social engineering attacks against team members

Recognition Program

We appreciate security researchers who help improve Forge EC's security.

Hall of Fame

Researchers who responsibly disclose valid security vulnerabilities will be recognized in our:

  • Security Hall of Fame: Listed on our website and documentation
  • Release Notes: Credited in security update announcements
  • CVE Credits: Named in CVE database entries (when applicable)
  • Social Recognition: Acknowledged on our social media channels

Severity Classifications

Vulnerability Severity Levels:
  • Critical: Remote code execution, cryptographic breaks
  • High: Privilege escalation, significant data exposure
  • Medium: Information disclosure, denial of service
  • Low: Minor security improvements, edge cases

Contact Information

Multiple ways to securely report security vulnerabilities:

Primary Contact Methods

Security Contact Details 
Primary Email: security@forge-ec.dev
GitHub Security: https://github.com/tanm-sys/forge-ec/security/advisories/new
Maintainer: Tanmay Patil (tanm-sys)
Response Time: Within 24 hours

PGP Key Fingerprint: [Available on request]
Signal: [Available on request for critical issues]

Encrypted Communication

For highly sensitive vulnerabilities, we support encrypted communication:

  • PGP/GPG: Request our public key via email
  • Signal: Available for critical vulnerabilities
  • GitHub Security Advisories: Built-in private reporting
Thank You!

Your security research helps protect all Forge EC users. We're committed to working with the security community to maintain the highest standards of cryptographic security.