Skip to content

Security: cryptspeak/webFlasher

Security

SECURITY.md

Security Policy

Cryptspeak firmware handles sensitive data — Reticulum identities, LXMF messages, contacts, and passwords. We take vulnerability reports seriously and would rather hear about a problem privately than have it found in the wild.

Reporting a vulnerability

Please use GitHub Private Vulnerability Reporting rather than filing a public issue:

  1. Go to the repository's Security tab.
  2. Click Report a vulnerability.
  3. Describe the issue, including steps to reproduce and potential impact.

This applies to all repositories under the Cryptspeak org, including csCardputer and microReticulum.

If a repository does not have Private Vulnerability Reporting enabled, or you are unable to use it, you may reach out to the maintainer through their GitHub profile instead. Please do not open a public issue for unpatched vulnerabilities.

What to expect

Cryptspeak is currently maintained by one person, so response times can vary, but reports are taken seriously and acknowledged as soon as possible. There is no bug bounty program at this time.

Scope

In scope:

  • Vulnerabilities in firmware shipped by this org (encryption at rest, authentication/lockout, duress handling, identity and key management, memory safety issues that affect security)
  • Vulnerabilities in microReticulum that affect Reticulum/LXMF protocol security (signature verification, packet validation, etc.)

Out of scope:

  • Vulnerabilities in upstream projects we depend on but do not maintain (please report those upstream — see the org profile for an example of how we've done this in the past)
  • Issues that require physical access combined with capabilities already covered by the published threat model

Supported versions

Cryptspeak is beta software under active development. Only the latest release receives security fixes. Please update before reporting to confirm the issue still applies.

There aren't any published security advisories