We release patches for security vulnerabilities in the following versions:

The Synaptic team takes security bugs seriously. We appreciate your efforts to responsibly disclose your findings.

Please do not report security vulnerabilities through public GitHub issues.

Instead, please report them via email to: me@njf.io

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the following information in your report:

• Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.)
• Full paths of source file(s) related to the manifestation of the issue
• The location of the affected source code (tag/branch/commit or direct URL)
• Any special configuration required to reproduce the issue
• Step-by-step instructions to reproduce the issue
• Proof-of-concept or exploit code (if possible)
• Impact of the issue, including how an attacker might exploit it

This information will help us triage your report more quickly.

After you submit a report:

1. Acknowledgment: We'll acknowledge receipt of your vulnerability report within 48 hours.

2. Investigation: Our security team will investigate the issue and determine its impact and severity.

3. Status Updates: We'll keep you informed about our progress throughout the process.

4. Resolution: We'll work on a fix and coordinate a release timeline with you.

5. Credit: With your permission, we'll publicly credit you for the responsible disclosure.

1. The reported vulnerability is confirmed
2. A fix is developed and tested
3. A new release is prepared with the security fix
4. A security advisory is published
5. The fix is released publicly

1. Always use TLS/SSL in production deployments
2. Rotate credentials regularly for database and external services
3. Enable audit logging to track access and modifications
4. Use strong encryption for sensitive data at rest
5. Implement rate limiting to prevent abuse

1. Never commit secrets to version control
2. Use environment variables or secret management systems
3. Restrict database access to necessary services only
4. Enable firewall rules to limit network exposure
5. Keep dependencies updated to patch known vulnerabilities

1. Implement proper authentication for all API endpoints
2. Use role-based access control (RBAC) where appropriate
3. Log security events for audit purposes
4. Implement session management with proper timeouts
5. Validate all inputs to prevent injection attacks

The following features are experimental and should NOT be used in production for security-critical applications:

• Homomorphic Encryption: Minimal implementation, experimental only
• Zero-Knowledge Proofs: Basic stubs, not functional
• WebAssembly Support: Requires comprehensive security audit

We actively monitor our dependencies for security vulnerabilities using:

• cargo-audit in CI/CD pipeline
• cargo-deny for license and advisory checking
• Automated Dependabot updates

This project uses Rust's memory safety guarantees and follows these security practices:

• No unsafe code (enforced by forbid(unsafe_code))
• No unwrap() in production (enforced by clippy)
• No panic!() in production (enforced by clippy)
• Comprehensive error handling with proper Result types

We recognize and thank the following security researchers for responsibly disclosing vulnerabilities:

(No reports yet)

• No formal security audits conducted yet
• Continuous automated security scanning via GitHub Actions
• Regular dependency updates and vulnerability monitoring

Synaptic is designed to support compliance with various security standards:

• OWASP Top 10: Web application security risks
• CWE/SANS Top 25: Most dangerous software weaknesses
• NIST Cybersecurity Framework: Industry standards for security

• OWASP Secure Coding Practices
• Rust Security Guidelines
• CIS Benchmarks

If you have questions about this security policy, please email: me@njf.io

Last Updated: 2025-10-21