Security Policy
Coordinated disclosure process and security guidelines for PEAC Protocol.
Reporting Security Issues
⚠ Private Disclosure
Please do NOT report security vulnerabilities through public GitHub issues.
For security reports, contact us privately:
What to Include
When reporting security issues, please provide:
- Description: Clear description of the vulnerability
- Impact: Potential security impact and affected components
- Reproduction: Step-by-step instructions to reproduce
- Environment: Version numbers, system details
- Mitigation: Any workarounds you've identified
Response Timeline
Within 48 hours
Acknowledge receipt of security report
Within 1 week
Initial assessment and severity classification
Coordinated timeline
Work together on fix development and disclosure timeline
Security Best Practices
For Implementations
- Validate all policy files and negotiation inputs
- Implement proper rate limiting and DDoS protection
- Use HTTPS for all PEAC endpoints
- Validate receipt signatures cryptographically
- Implement replay protection for DPoP proofs
- Sanitize and validate all user inputs
For Deployments
- Keep implementations updated to latest versions
- Monitor for security advisories
- Use secure key management for JWKS
- Implement proper access controls
- Enable security logging and monitoring
Security Advisories
Security advisories are published through:
- GitHub Security Advisories
- Release notes for affected versions
- Community notifications via official channels
Scope
This security policy covers:
- PEAC Protocol specification vulnerabilities
- Reference implementations and tools
- Official adapters and extensions
- Infrastructure and deployment guides
Third-party implementations have their own security policies - please refer to their respective maintainers.