v0.12.11

Security Policy

Coordinated disclosure process and security guidelines for PEAC Protocol.

Security Posture

Cryptography

Ed25519 (RFC 8032) signatures via JWS compact serialization. No embedded keys, no ambient key discovery. JOSE hardening rejects b64:false, zip, crit, and embedded JWKs.

Verification

Offline verification with caller-provided public keys. No implicit network calls during verification. Fail-closed defaults on all validation paths.

Network Safety

SSRF prevention by design: URLs are locator hints only, never implicitly fetched. MCP server binds to localhost only with CORS deny-all, rate limiting, and request size limits.

Supply Chain

OIDC-based npm publishing with provenance attestation. GitHub Actions pinned to full SHA. CodeQL security-extended analysis. Dependency review on all PRs.

For detailed security analysis, see the Security & Evaluation page.

Reporting Security Issues

Private Disclosure Required

Please do NOT report security vulnerabilities through public GitHub issues.

For security reports, contact us privately:

Email

security@peacprotocol.org

Include “SECURITY” in the subject line

What to Include

When reporting security issues, please provide:

-Description: Clear description of the vulnerability

-Impact: Potential security impact and affected components

-Reproduction: Step-by-step instructions to reproduce

-Environment: Version numbers, system details

-Mitigation: Any workarounds you've identified

Response Timeline

Within 48 hours

Acknowledge receipt of security report

Within 1 week

Initial assessment and severity classification

Coordinated timeline

Work together on fix development and disclosure timeline

Security Best Practices

For Implementations

-Validate all policy files and negotiation inputs

-Implement proper rate limiting and DDoS protection

-Use HTTPS for all PEAC endpoints

-Validate receipt signatures cryptographically

-Implement replay protection for DPoP proofs

-Sanitize and validate all user inputs

For Deployments

-Keep implementations updated to latest versions

-Monitor for security advisories

-Use secure key management for JWKS

-Implement proper access controls

-Enable security logging and monitoring

Security Advisories

Security advisories are published through:

-GitHub Security Advisories

-Release notes for affected versions

-Community notifications via official channels

Scope

This security policy covers:

-PEAC Protocol specification vulnerabilities

-Reference implementations and tools

-Official adapters and extensions

-Infrastructure and deployment guides

Third-party implementations have their own security policies - please refer to their respective maintainers.

Back to home