# Security Policy ## Reporting Thank you for taking the time to responsibly disclose any problems you find. **Do not file public issues as they are open for everyone to see!** All security vulnerabilities in `xor-cipher` should be reported by email to [security@xor-cipher.org][Security Email]. Your report will be acknowledged within 24 hours, and you will receive a more detailed response within 48 hours indicating the next steps in handling your report. You can encrypt your report using our public key: [`FF8BC4BD3679FEC28A1CF79ED063CCAB4A83E040`][Security Key]. This key is also available on [MIT's Key Server][MIT Key Server] and [reproduced below](#security-key). After the initial reply to your report, the core team will try to keep you informed of the progress being made towards a fix and official announcement. These updates will be sent at least every five days. In reality, this is more likely to be every 24-48 hours. ## Disclosure Policy `xor-cipher` has a 5-step disclosure process: 1. The security report is received and is assigned a primary handler. This person will coordinate the fix and release process. 2. The problem is confirmed and a list of all affected versions is determined. 3. Code is audited to find any potential similar problems. 4. Fixes are prepared for all releases which are still under maintenance. These fixes are not committed to the public repository but rather held locally pending the announcement. 5. On the embargo date, the changes are pushed to the public repository and new builds are deployed. This process can take some time, especially when coordination is required with maintainers of other projects. Every effort will be made to handle the issue in as timely a manner as possible, however it is important that we follow the release process above to ensure that the disclosure is handled in a consistent manner. ## Security Key ```text -----BEGIN PGP PUBLIC KEY BLOCK----- mQINBGWlKxoBEADQyivM64TFCWYBjcOT0RusKqNIU95DYWNmKD/FQhfh+qtRMDTj lWUSMepk1GNkYIf2SmfEwwZYXk0IURyQOwFg49A/CiYVyZWdZGSa3K2a358D8pnw d42IwEnhwdrTf2EM+KzpfnLtofS9IGP66wmBcfHiDGVnpciwfQELI3UXu1e7parX CYaTV+vpft7VzfQDLTQmkAt363YYY1/6x5NxGooSyVKr81sCZmlH3Ww5aA5sI6kZ 1WfFm6vseFZebkoNdQESDB/poRT60VCBmme2UorpmrikhtHimBbt6DgAVKnwjqvb eRnAz4CRkwXao2uQMzeaCCiG60O4QRpKKAptu9Njq8CCHM6V0SAYcPaQJgA6yJMR 1XfGivsrNAKODHmcoid7azMn92KF4mWh4FF4Mk995RBzfTsF1FPNEyj5ofHRc05y 3UWsgM1hgiZuBnz5eN3kaXfX87baHvaXrKUzIlRXUK/R5ixW+BLVZmIZNWn3Bwbq S9HnnQPDi06EYFuQEIYTILOvbDvIub+q8nb/XeduLQVVeh0yNsbo6qSq0oUNstQE N6f+Cx2rgS3UrJYKI45Q//3C95MzcouV4WXfFvmmdMsfxeQw+Rb4RWWnc1tmODf4 IDM0HRfzn+O7+NLBBEnCqbMv/9NvC5uxewihduDPmb51W2DIzXLXZScllQARAQAB tC9YT1IgQ2lwaGVyIChzZWN1cml0eSkgPHNlY3VyaXR5QHhvci1jaXBoZXIub3Jn PokCTgQTAQoAOBYhBP+LxL02ef7Cihz3ntBjzKtKg+BABQJlpSsaAhsDBQsJCAcC BhUKCQgLAgQWAgMBAh4BAheAAAoJENBjzKtKg+BAzOoP/R1VjjvZi7E4W+ZYlZI5 MfEdnim9r1kKwaahvVewbF4oL008DJkgFQKfZCaVWISOM4vEBmnb26Uc4+rAWVBu 6nzwLOyRdUepuWizrkF7tciIFTpIXqZVYMkHcex3wDdWtJAygoYvLYVES81jWpln sHSvSAmceyDN+lhDjzO+ndTlUowukBAOVP9u5ZWjJBfZneTtUgDF0NoIQOS0THvp 2kZYU37MUTBb/Oique3GMA29ZRFdLbTixhKOJ4F5xqu804+MivFB8HGuXZbfDNif NzqTnhIUV+YrYfuGRQoubtk1fa3ihS6u7pTJvpgwbcZZbbRepn9XnC5IUYN+UTO/ jwyKPzMGZhmhG6DehhuLy2t8k0UKGHUIVfCDcVUYMHIXyTc7kIioskQEftkakdcq yRphwifKzUW7EI1+/OPOuMltXJiKXtpXVYW93NCmZGMq8Hdl+FeYZ+KpAcDlCzNP G5a/DL+T6ZcYr4S2KbqovFFEryinOr0vsLmY48Q6W64Wivc/Hngbb2jScdS5JoEm Rzs5SXI3fmAKdLpJacqpP0Sn3QtUIEIDn44ULOoQrJRnRYJ65RHZT0QPhWSGtunP MNcNiND64UYlwE2Ev0Giuq1TxzYfJLa2N2ThZt+oolnmj2VPdMh61/UxmmcDBwjC sTHvECzkD1qTCMtdNPe0yAMluQINBGWlKxoBEADI3e2QW7ahm71IKWjept92ATp7 nnjEb6zhft+SnlHf2rVcg/5lw6T7C36t9HGPMv03BRPjZ1xI5TQIar139aZeb2/M udwqvmrsVUALxgrmtS5qye3ue0TlnagNw4dSQe+X0L6mI7ACZO8xOQwLHO76Fe01 9S52+iwIdg7p8kQCv5hOMk+3Gt6GNTezzsraf0RrDmbxSVIViQsYp0SGweeHdg5y CHM4XVQMIpIpXz3rkVZyUX3HfriQnSTqIQ4X9WBKJdL3zkf9W1qblyH0NcMC1Vh7 o9VCcTM1vQB0e/BsEhqbfnB6kLpQ2W87oCKzmSa+F0aMvxIzj60ojIm/u5S0l4em pMp8TmHtOF7oBrSjK2D1HOKTFSZWC1i8HDRPpMpZgCyTya7gijF0oCerwK2/tM6a z5OkAhwVgMikUkzxJUXc1fpfHtdprn/+H6vhbkDWd8IjpCAIKN7x7229vsl4KdS/ e3pcOPSK0IlYjWTnKpBf8pSog/HhpvdMrGYVHZeR3RVX80HKXuM+2DNAwQ8EgRs7 k7kFUmH3UkDZEjNja486OVnIhzb3/1sJycZGaF3FQ7MOTcA59M4F+9MUzKeW6bLE kej05p2wIirtX5KrSdW5hGop+VhMLnmAufTf8+tpfQRJaTRjvgdWRRfo+hZLZ5cP +ToRjM7TPS0ZOZ6u2wARAQABiQI2BBgBCgAgFiEE/4vEvTZ5/sKKHPee0GPMq0qD 4EAFAmWlKxoCGwwACgkQ0GPMq0qD4EAvuA/+M//zhmrYYTx4AzJsUhxskOPVvG5M n1iLfR7mZDQ7W/X0/MGSs77U/dAdtNuykKWsB7vyiN6xApGk+VO/Mg7kGfLtT8Kq smXPfJPsUHjIm8CovYpucHTQ9G9p8djFfdPAEH2jL2/N0ssI1rJi23nimelSkWYx T6eMeDqK9CuaR2d1QcKql8ZIISRMLuEiZpjraPqNKO6nOy63WVm6af1XaEggCVM0 iJtzfDjA8ZtgxCeT4sHbQDedsr9/bxMmcbtDCAoxnUQKwyR0PQMwq5x47so4JZku iQlJbbAQS4YrG5N7DgdA72CSdaiZb/B7mp5R7MhR+MeSD48+g1iHYVUG//Yzdq2T z7csex53m14M4sxXsEXr61zoiGP/I2ZlXMjIhjp9XgNNdesRAw7UZuQId1DE+vmw N4i0z8B3txxSD5ZYxjcjEYBCpCF7rD1z5szGi/cALGiJn+/c3fq29rcvkTcscv42 QDb0m8Ld8vJpqa91+rBVKky6c6v+u7m9rbLUp+Wh5x6hN33xDt6mXy3fCMvImOtV q9IU1yf/iNlI4YNbee+C88d3TOw5oDJvc2cw7lrGURGe+3qG0dBFdSieqBatwUJ6 3XpYL1PHw3ja1lnWPaBqsdxf5O69tdqPXPPhoi4xLtpqZ5Jl5CGGG3NKOqMk59gR c2qRjtnlvsXol+Y= =uSs5 -----END PGP PUBLIC KEY BLOCK----- ``` ## Attribution This Security Policy is adapted from [Rust's Security Policy][Rust Security Policy]. [Security Email]: mailto:security@xor-cipher.org [Security Key]: https://xor-cipher.org/keys/security [MIT Key Server]: https://pgp.mit.edu/pks/lookup?op=index&search=0xFF8BC4BD3679FEC28A1CF79ED063CCAB4A83E040 [Rust Security Policy]: https://rust-lang.org/policies/security