We release security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ❌ |
@hixbe/sig provides cryptographic tools for secure ID generation using industry-standard algorithms:
- SHA-256, SHA-512, SHA3-256, SHA3-512, BLAKE2b-512, SHAKE256
- HMAC signing
- CSPRNG (Cryptographically Secure Pseudo-Random Number Generator)
- Timing-safe comparisons
✅ Within Scope - We Ensure:
- Cryptographically secure random number generation (OS-level CSPRNG)
- Correct implementation of standard algorithms (SHA3, HMAC, BLAKE2b)
- Timing-safe operations to prevent side-channel attacks
- No hardcoded secrets or backdoors in source code
- Proper entropy management
- Secret key management and storage
- Secure transmission of generated IDs
- Access control to secrets/keys
- Compliance with industry regulations (PCI-DSS, HIPAA, etc.)
- Security of the Node.js runtime environment
- Network security and TLS/HTTPS usage
We take security seriously. If you discover a security vulnerability, please follow responsible disclosure:
-
Report privately via one of these methods:
- Email: security@hixbe.com
- GitHub Security Advisory: Use the "Security" tab → "Report a vulnerability"
-
Provide details:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
-
Allow time for fix:
- We will acknowledge receipt within 48 hours
- We aim to provide a fix within 7-14 days for critical issues
- We will coordinate disclosure timeline with you
- ❌ Open a public GitHub issue for security vulnerabilities
- ❌ Disclose the vulnerability publicly before we've had time to fix it
- ❌ Exploit the vulnerability maliciously
// ❌ WRONG - Secret in source code
const id = await generateId({
secret: 'my-payment-secret-123',
pepper: 'global-pepper-456'
});
// ✅ CORRECT - Secrets from environment
const id = await generateId({
secret: process.env.PAYMENT_SECRET,
pepper: process.env.GLOBAL_PEPPER
});import { generateId, generateRandomSalt } from '@hixbe/sig';
const transactionId = await generateId({
length: 32,
mode: 'hmac-hash', // Maximum security
algorithm: 'sha3-512', // Quantum-resistant
secret: process.env.PAYMENT_SECRET,
salt: generateRandomSalt(), // Per-transaction
pepper: process.env.GLOBAL_PEPPER,
checksum: true,
checksumCount: 2,
security: {
enhanceEntropy: true,
timestampEmbed: true,
collisionDetection: true,
auditLog: true,
},
});-
Store secrets in secure locations:
- AWS Secrets Manager
- HashiCorp Vault
- Azure Key Vault
- Google Cloud Secret Manager
- Environment variables (minimum)
-
Separate secret storage:
- Store
secretandpepperin different systems - Never store pepper in the same database as IDs
- Use different keys for different environments (dev/staging/prod)
- Store
-
Rotate keys regularly:
- Implement key rotation every 90 days
- Support multiple key versions
- Plan for emergency rotation
-
Monitor and audit:
- Enable audit logging
- Monitor for unusual patterns
- Set up alerts for high error rates
- Track key usage
| Feature | Implementation | Standard |
|---|---|---|
| Random Generation | crypto.randomBytes() |
NIST SP 800-90A |
| Hashing | SHA3-256/512, BLAKE2b | FIPS 202, RFC 7693 |
| HMAC | crypto.createHmac() |
FIPS 198-1 |
| Timing Safety | crypto.timingSafeEqual() |
Constant-time |
| Attack Type | Protection | Status |
|---|---|---|
| Brute Force | Rate limiting + entropy | ✅ Protected |
| Rainbow Tables | Salt + Pepper + HMAC | ✅ Protected |
| Timing Attacks | Constant-time comparison | ✅ Protected |
| Collision | SHA3/BLAKE2b + detection | ✅ Protected |
| Replay Attacks | Timestamp embedding | ✅ Protected |
| Side-Channel | Memory-hard derivation | ✅ Protected |
| Quantum Attacks | SHA3, post-quantum algos | ✅ Resistant |
Context: JavaScript/Node.js is not as hardened as systems languages (C/Rust).
Mitigation:
- We use Node.js native crypto module (C++ bindings to OpenSSL)
- All cryptographic operations use battle-tested implementations
- This is industry standard (used by AWS SDK, Stripe, etc.)
Risk Level: Low - Acceptable for production use
Context: JavaScript garbage collection doesn't guarantee immediate memory wiping.
Mitigation:
- We implement
secureDelete()function for sensitive buffers - We overwrite buffers before release
- Best effort for JavaScript environment
Risk Level: Low - Standard limitation of JavaScript
Context: Kyber768 and Dilithium3 are placeholder implementations.
Mitigation:
- SHA3 and BLAKE2b provide quantum resistance for hashing
- Full PQC implementation coming in future version
- Current algorithms are sufficient for quantum threat model
Risk Level: Low - Current algorithms are quantum-resistant
-
✅ PCI-DSS (Payment Card Industry)
- Cryptographically secure random IDs
- HMAC authentication
- Audit logging capability
-
✅ NIST Guidelines (FIPS 140-2/140-3)
- CSPRNG (SP 800-90A via Node.js)
- SHA3 (FIPS 202)
- HMAC (FIPS 198-1)
-
✅ OWASP (Security Best Practices)
- Secure random generation
- Protection against common vulnerabilities
-
✅ GDPR (Data Protection)
- Secure deletion support
- Audit trail capability
| Date | Auditor | Version | Findings | Status |
|---|---|---|---|---|
| TBD | Internal | 2.0.0 | Initial release | N/A |
We welcome independent security audits. Please contact us if you'd like to conduct one.
We will announce security updates through:
- GitHub Security Advisories
- NPM security advisories
- Release notes with
[SECURITY]tag
For security questions (non-vulnerabilities):
- Open a GitHub Discussion
- Tag with
securitylabel
For security vulnerabilities:
- Use private reporting channels listed above
Last Updated: November 19, 2025
Package Version: @hixbe/sig v2.0.0