We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
| < 0.1 | ❌ |
We take the security of Hanzo Rust SDK seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please report them via email to security@hanzo.ai.
You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.
Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
- Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, cryptographic weakness, etc.)
- Full paths of source file(s) related to the manifestation of the issue
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit the issue
We prefer all communications to be in English.
When we receive a security bug report, we will:
- Confirm the receipt of your vulnerability report
- Work with you to understand and validate the report
- Keep you informed about the progress towards a fix and full announcement
- Credit you in the security advisory (unless you prefer to remain anonymous)
When contributing to this repository, please:
- Never commit secrets: API keys, passwords, or certificates
- Use secure randomness: Always use cryptographically secure RNGs
- Validate inputs: Sanitize and validate all external inputs
- Handle errors safely: Don't expose sensitive information in error messages
- Use safe dependencies: Keep dependencies updated and audited
- Follow cryptographic best practices: Don't roll your own crypto
Hanzo Rust SDK includes several security features:
- Post-Quantum Cryptography: ML-KEM and ML-DSA for quantum resistance
- Hardware Attestation: Support for SEV-SNP, TDX, and GPU TEE
- Key Hierarchy: Secure key derivation and management
- Privacy Tiers: Granular security levels from open to TEE-I/O
- Audit Logging: Comprehensive audit trail for all operations
We conduct regular security audits:
- Automated scanning with
cargo audit - Dependency vulnerability checking
- Static analysis with
cargo clippy - Fuzzing of critical components
This software includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software.
For any security-related questions, please contact:
- Email: security@hanzo.ai
- GPG Key: Available at https://hanzo.ai/security.asc