| Version | Supported |
|---|---|
| 0.1.x | ✅ |
We take the security of CAP-SRP seriously. If you believe you have found a security vulnerability, please report it to us responsibly.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Please include the following information:
- Type of vulnerability (e.g., cryptographic weakness, information disclosure, etc.)
- Full path of source file(s) related to the vulnerability
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment - what an attacker could achieve
- Acknowledgment: We will acknowledge receipt of your report within 48 hours
- Initial Assessment: We will provide an initial assessment within 5 business days
- Status Updates: We will keep you informed of our progress
- Credit: We will credit you (if desired) in our security advisories
The following are in scope for security reports:
- CAP-SRP core library (
cap_srp/core/) - Cryptographic implementations (Ed25519 signing, Merkle trees)
- Hash chain integrity mechanisms
- Dashboard authentication/authorization (if applicable)
The following are out of scope:
- Vulnerabilities in third-party dependencies (report to the respective project)
- Social engineering attacks
- Physical attacks
- Denial of service attacks that don't reveal exploitable vulnerabilities
CAP-SRP uses the following cryptographic primitives:
| Component | Algorithm | Standard |
|---|---|---|
| Signing | Ed25519 | RFC 8032 |
| Hashing | SHA-256 | FIPS 180-4 |
| Merkle Tree | RFC 6962 format | Certificate Transparency |
- Private keys should never be stored in source code or logs
- Use environment variables or secure key management systems
- Rotate keys periodically according to your security policy
CAP-SRP is designed with privacy in mind:
- Prompts are never stored - only their SHA-256 hashes
- User context is hashed before storage
- Generated content is referenced by hash only
The security of CAP-SRP depends on:
- Hash chain integrity - Each event links to the previous
- Ed25519 signatures - Events cannot be forged
- Merkle proofs - Third parties can verify inclusion
- External anchoring - TSA timestamps prevent backdating
When deploying CAP-SRP:
- Protect signing keys - Use HSMs or secure key storage
- Monitor the log - Set up alerts for chain breaks
- External anchoring - Regularly anchor Merkle roots to TSA
- Backup strategy - Maintain secure backups of the event log
- Access control - Limit who can write to the event log
For transparency, here are the public keys used to sign CAP-SRP releases:
Release Signing Key: (To be added upon first release)
We thank the security researchers who have helped improve CAP-SRP:
- (Your name could be here!)
Last updated: January 2026