Please do NOT open a public GitHub issue for security vulnerabilities.
Email security@skytale.sh with:
- Description of the vulnerability
- Steps to reproduce
- Affected component(s)
- Potential impact assessment
| Action | Timeframe |
|---|---|
| Acknowledgment | 48 hours |
| Initial assessment | 5 business days |
| Status update | Every 7 days until resolved |
| Severity | Examples | Target Resolution |
|---|---|---|
| Critical | Remote code execution, key material exposure, MLS bypass | 72 hours |
| High | Authentication bypass, privilege escalation | 7 days |
| Medium | Information disclosure, denial of service | 30 days |
| Low | Minor issues, hardening improvements | Next scheduled release |
All Skytale components are in scope:
- skytale-relay — QUIC/gRPC relay server
- skytale-sdk — Python SDK and Rust native extension
- skytale-mls — MLS encryption engine
- skytale-net — Iroh networking layer
- skytale-store — SQLCipher storage
- API server — REST API (accounts, keys, metering)
- CLI — Command-line tool
Skytale is built with these security properties:
- End-to-end encryption: All channel messages are encrypted using MLS (RFC 9420). The relay never sees plaintext.
- Zero-knowledge relay: Relay nodes cannot decrypt channel data. They route ciphertext only.
- Forward secrecy: MLS epoch advancement provides forward secrecy — compromising current keys does not expose past messages.
- Key zeroization: All cryptographic key material in memory is zeroized on drop using the
zeroizecrate. - No plaintext logging: Message content and key material are never logged at any level, including TRACE.
| Version | Supported |
|---|---|
| Latest release | Yes |
| Previous releases | Security fixes only |
We credit security researchers in release notes (with your permission). If you'd like to be credited, please include your preferred name and any relevant links in your report.
- Security reports: security@skytale.sh