Pre-release project; only master (main branch) receives fixes presently.
Email: [email protected]
Please include:
- Affected endpoints / functions
- Reproduction steps or proof-of-concept
- Impact assessment (confidentiality/integrity/availability)
- Any suggested remediation
You will receive acknowledgement within 72 hours with a tracking reference.
- Triage & reproduce.
- Assign severity (CVSS style qualitative).
- Prepare patch + tests.
- Coordinate disclosure date (default 14 days after fix unless actively exploited).
- Publish fix & brief advisory in repo (SECURITY-ADVISORIES if needed).
In scope: IP address parsing vulnerabilities, Tor exit list fetch bypass, access control bypass allowing Tor traffic when blocked (or vice versa), hash table collision attacks.
Out of scope: transport encryption (terminate TLS upstream), multi-tenancy isolation (not implemented).
Thank you for helping keep the project secure.