Reporting vulnerabilities
Email security@skytale.sh with:
- Description of the vulnerability
- Steps to reproduce
- Affected component(s)
- Potential impact assessment
Response timeline
Section titled “Response timeline”| Action | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Status update | Every 7 days until resolved |
Severity levels
Section titled “Severity levels”| Severity | Examples | Target resolution |
|---|---|---|
| Critical | Remote code execution, key material exposure, MLS bypass | 72 hours |
| High | Authentication bypass, privilege escalation | 7 days |
| Medium | Information disclosure, denial of service | 30 days |
| Low | Minor issues, hardening improvements | Next scheduled release |
All Skytale components are in scope:
- skytale-relay: QUIC/gRPC relay server
- skytale-sdk: Python SDK and Rust native extension
- skytale-mls: MLS encryption engine
- skytale-net: Iroh networking layer
- skytale-store: SQLCipher storage
- API server: REST API (accounts, keys, metering)
- CLI: command-line tool
Security design principles
Section titled “Security design principles”Skytale is built with these security properties:
- End-to-end encryption: all channel messages are encrypted using MLS (RFC 9420). The relay never sees plaintext.
- Zero-knowledge relay: relay nodes cannot decrypt channel data. They route ciphertext only.
- Forward secrecy: MLS epoch advancement provides forward secrecy; compromising current keys does not expose past messages.
- Key zeroization: all cryptographic key material in memory is zeroized on drop using the
zeroizecrate. - No plaintext logging: message content and key material are never logged at any level, including TRACE.
Supported versions
Section titled “Supported versions”| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous releases | Security fixes only |
Credit
Section titled “Credit”We credit security researchers in release notes (with your permission). If you’d like to be credited, please include your preferred name and any relevant links in your report.
Contact
Section titled “Contact”- Security reports: security@skytale.sh