Skip to content

Security: quantakrypto/pqc-tools

Security

SECURITY.md

Security Policy

quantakrypto-tools is security tooling, so we hold the project to a high bar and welcome reports. This policy follows the spirit of ISO/IEC 29147 (vulnerability disclosure) and ISO/IEC 30111 (vulnerability handling).

Supported versions

The project is pre-1.0. Only the latest main is supported while the API stabilises. Versioned support windows will be defined at the 1.0 release.

Reporting a vulnerability

Please do not open public issues for security problems.

We aim to acknowledge within 3 business days and to provide a remediation plan within 10 business days. We will credit reporters who wish to be named.

Scope & threat model

These are developer tools that read source code and (for Sieve) drive an external implementation. The most security-relevant surfaces — documented in docs/audits/security.md — are:

  • @quantakrypto/mcp HTTP transport (packages/mcp/src/http.ts). The hosted transport now enforces several controls in code: constant-time Bearer auth, per-request timeouts that abort the in-flight scan, a file/byte work budget (QUANTAKRYPTO_MCP_MAX_FILES / QUANTAKRYPTO_MCP_MAX_BYTES, each clamped to a hard cap), filesystem path confinement to a root allow-list (QUANTAKRYPTO_MCP_ROOT, rejecting .. traversal and out-of-root absolute paths), and Origin/Host validation to block DNS-rebinding. The scan_path / inventory_crypto tools still read the filesystem, so keep the transport loopback-bound and behind a token rather than exposing it publicly. The local stdio transport (npx @quantakrypto/mcp) runs on the developer's own machine and remains the recommended path.
  • @quantakrypto/sieve runner (packages/sieve/src/runner.ts). It spawns a user-provided implementation. Only point it at code you trust; treat the SUT as you would any executable.
  • @quantakrypto/qscan / @quantakrypto/core. Scanning untrusted repositories is generally safe (no code execution, symlinks are not followed), but see the ReDoS notes in the security audit before scanning adversarial inputs at scale.

Hardening status

Known issues and their remediations are tracked in docs/ROADMAP.md (the P0 — security & correctness block). This file will be updated as those land.

There aren't any published security advisories