quantakrypto-tools is security tooling, so we hold the project to a high bar and
welcome reports. This policy follows the spirit of ISO/IEC 29147 (vulnerability
disclosure) and ISO/IEC 30111 (vulnerability handling).
The project is pre-1.0. Only the latest main is supported while the API
stabilises. Versioned support windows will be defined at the 1.0 release.
Please do not open public issues for security problems.
- Email security@quantakrypto.com (or the maintainers listed in
package.json). - Preferably use GitHub's private vulnerability reporting ("Report a vulnerability" on the Security tab).
- Include: affected package, version/commit, a reproduction, impact, and any suggested fix.
We aim to acknowledge within 3 business days and to provide a remediation plan within 10 business days. We will credit reporters who wish to be named.
These are developer tools that read source code and (for Sieve) drive an
external implementation. The most security-relevant surfaces — documented in
docs/audits/security.md — are:
@quantakrypto/mcpHTTP transport (packages/mcp/src/http.ts). The hosted transport now enforces several controls in code: constant-time Bearer auth, per-request timeouts that abort the in-flight scan, a file/byte work budget (QUANTAKRYPTO_MCP_MAX_FILES/QUANTAKRYPTO_MCP_MAX_BYTES, each clamped to a hard cap), filesystem path confinement to a root allow-list (QUANTAKRYPTO_MCP_ROOT, rejecting..traversal and out-of-root absolute paths), andOrigin/Hostvalidation to block DNS-rebinding. Thescan_path/inventory_cryptotools still read the filesystem, so keep the transport loopback-bound and behind a token rather than exposing it publicly. The local stdio transport (npx @quantakrypto/mcp) runs on the developer's own machine and remains the recommended path.@quantakrypto/sieverunner (packages/sieve/src/runner.ts). It spawns a user-provided implementation. Only point it at code you trust; treat the SUT as you would any executable.@quantakrypto/qscan/@quantakrypto/core. Scanning untrusted repositories is generally safe (no code execution, symlinks are not followed), but see the ReDoS notes in the security audit before scanning adversarial inputs at scale.
Known issues and their remediations are tracked in
docs/ROADMAP.md (the P0 — security & correctness block).
This file will be updated as those land.