Security Policy
Coordinated disclosure process and security guidelines for PEAC Protocol.
Reporting Security Issues
Private Disclosure
Please do NOT report security vulnerabilities through public GitHub issues.
For security reports, contact us privately:
What to Include
When reporting security issues, please provide:
- Description: Clear description of the vulnerability
- Impact: Potential security impact and affected components
- Reproduction: Step-by-step instructions to reproduce
- Environment: Version numbers, system details
- Mitigation: Any workarounds you've identified
Response Timeline
Within 48 hours
Acknowledge receipt of security report
Within 1 week
Initial assessment and severity classification
Coordinated timeline
Work together on fix development and disclosure timeline
Security Best Practices
For Implementations
- Validate all policy files and negotiation inputs
- Implement proper rate limiting and DDoS protection
- Use HTTPS for all PEAC endpoints
- Validate receipt signatures cryptographically
- Implement replay protection for DPoP proofs
- Sanitize and validate all user inputs
For Deployments
- Keep implementations updated to latest versions
- Monitor for security advisories
- Use secure key management for JWKS
- Implement proper access controls
- Enable security logging and monitoring
Security Advisories
Security advisories are published through:
- GitHub Security Advisories
- Release notes for affected versions
- Community notifications via official channels
Scope
This security policy covers:
- PEAC Protocol specification vulnerabilities
- Reference implementations and tools
- Official adapters and extensions
- Infrastructure and deployment guides
Third-party implementations have their own security policies - please refer to their respective maintainers.