Please do NOT report security vulnerabilities through public GitHub issues.

If you discover a security vulnerability in AstraCipher, please report it responsibly:

Email: [email protected]

Please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested fix (if any)

The following are in scope for security reports:

• @astracipher/crypto — Post-quantum cryptographic operations (ML-DSA-65, ECDSA P-256, ML-KEM-768)
• @astracipher/core — DID management, credential issuance/verification, trust chain validation
• @astracipher/cli — Key generation, credential handling
• @astracipher/mcp-server — MCP tool security
• @astracipher/a2a-adapter — A2A protocol authentication

• The project website (astracipher.com)
• Third-party dependencies (report to their maintainers directly)
• Social engineering attacks
• Denial of service attacks

AstraCipher uses audited cryptographic libraries:

• @noble/post-quantum — ML-DSA-65, ML-KEM-768
• @noble/curves — ECDSA P-256

Note: While the underlying cryptographic primitives are independently audited, the AstraCipher protocol implementation wrapping them has not yet undergone a formal third-party security audit. This is planned before v1.0 release.

• Keep your private keys secure — never commit them to version control
• Use the hybrid signature mode (both PQC + classical) for maximum security
• Rotate agent credentials regularly (recommended: every 90 days)
• Monitor your audit trail for unauthorized DID operations
• Use environment variables for API keys, never hardcode them