The Aranya team takes security seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.
Discovered issues can be communicated privately to our security team at: [email protected].
Please do not report security vulnerabilities through public GitHub issues. We also appreciate being provided with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party. We may disclose the issue before resolution, if appropriate.
Please include the following information in your report if applicable:
- Description of the vulnerability
- Aranya software version, hardware platform and OS version
- Logs and artifacts
- Steps to reproduce the issue
- Potential impact of the vulnerability
- Suggested mitigation or fix (if any)
- Your name/handle (if you wish to be credited)
The latest version or release is supported.
When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions.
- Audit code to find any potential similar problems.
- Prepare fixes for all still-supported releases.
- Release new security fix versions and update the public repository.
If you have suggestions on how this process could be improved, please submit a pull request or open an issue in our public repository.
Last Updated: 10OCT2024