Security fixes are applied to the current main branch.
Do not open public issues for vulnerabilities that could expose node operators or message history integrity risks.
Report privately to project maintainers with:
- affected commit/tag
- impact summary
- reproducible steps
- suggested mitigation if available
- Tor transport and control integration
- wire parsing and frame boundaries
- sync and history validation logic
- peer reputation/abuse controls
- storage append/replay correctness
- Acknowledge report.
- Reproduce and triage severity.
- Patch and validate with tests.
- Publish advisory with fixed commit/version.