>NoiseFramework

Security Policy

Security is our top priority. Learn how to report vulnerabilities and follow best practices.

Supported Versions

VersionSupported
1.x.xSupported

Reporting a Vulnerability

Please do not report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in NoiseFramework, please report it privately to help protect users before the issue is made public.

How to Report

1. GitHub Security Advisories (Preferred)

Report via GitHub Security Advisories for the fastest response.

Report on GitHub

2. Email

Alternatively, send details to the maintainer via GitHub.

Subject

SECURITY: NoiseFramework - [Brief Description]

Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any suggested fixes (if applicable)
What to Expect
Initial Response:
Within 48 hours
Status Update:
Within 7 days with assessment and timeline
Fix Timeline:
Critical issues within 30 days
Disclosure:
Coordinated disclosure after fix is released

Security Considerations

NoiseFramework is a cryptographic library. When using it, follow these best practices:

1. Key Management

Never hardcode private keys in your application. Use secure key storage mechanisms.

2. Random Number Generation

Ensure your system's RNG is properly seeded and uses a cryptographically secure source.

3. Pattern Selection

Choose appropriate Noise patterns for your threat model:

  • Use XX for mutual authentication
  • Use IK when responder's public key is known
  • Avoid NN in production (no authentication)
4. Dependencies

Keep the cryptography library updated to receive security patches.

5. Side Channels

Be aware this implementation has not been audited for side-channel resistance.

6. Protocol Version

Ensure both parties use compatible NoiseFramework versions.

Cryptographic Implementations

NoiseFramework relies on the following cryptographic primitives from the well-vetted pyca/cryptography library:

DH Functions
  • • Curve25519 (X25519)
  • • Curve448 (X448)
AEAD Ciphers
  • • ChaCha20-Poly1305
  • • AES-256-GCM
Hash Functions
  • • SHA-256
  • • SHA-512
  • • BLAKE2s
  • • BLAKE2b

Known Limitations

  • No formal security audit: This library has not undergone professional cryptographic audit
  • Timing attacks: Implementation prioritizes correctness over constant-time operations
  • Memory safety: Python's memory management may leave sensitive data in memory
  • Educational purpose: While production-ready, use in high-security environments should include additional review

Security Updates

Security patches will be:

  • Released as patch versions (e.g., 1.0.1)
  • Documented in the Changelog
  • Announced via GitHub Security Advisories
  • Tagged with appropriate CVE if applicable

Acknowledgments

We appreciate the security research community's efforts in making NoiseFramework more secure. Reporters will be acknowledged in the Changelog unless they prefer to remain anonymous.

Found a security issue?

Report Vulnerability