Do NOT open a public GitHub issue for security vulnerabilities.
Report vulnerabilities privately to security@odal-node.io with:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a minimal proof of concept
- The affected crate(s) and version(s)
- Any suggested fix or mitigation, if you have one
| Step | Timeframe |
|---|---|
| Acknowledgement of your report | Within 48 hours |
| Initial assessment and severity classification | Within 5 business days |
| Fix or mitigation for critical/high severity | Within 14 days |
| Fix or mitigation for medium/low severity | Within 30 days |
| Public disclosure (coordinated with reporter) | After fix is released |
We follow coordinated vulnerability disclosure (CVD) as recommended by the OpenSSF Vulnerability Disclosure Working Group. We will work with you on timing and credit.
This policy covers all crates in the dpp-core workspace:
| Crate | Security-Relevant Surface |
|---|---|
| dpp-crypto | Ed25519 key management, AES-256-GCM encryption, JWS signing/verification, Verifiable Credential issuance |
| dpp-domain | Access tier policy enforcement, schema validation, transfer chain integrity |
| dpp-digital-link | GS1 Digital Link URI parsing (input validation) |
| dpp-plugin-traits | Wasm plugin ABI boundary |
| dpp-registry | EU Registry interface types |
Issues in the following areas are particularly important:
- Cryptographic key leakage or weak randomness
- JWS signature bypass or forgery
- Access tier escalation (e.g., public credentials accessing confidential data)
- Schema validation bypass allowing non-compliant passports
- Transfer chain integrity violations (skipping states, forging history)
- Issues in the dpp-engine repository (report to the same email, but this policy covers dpp-core only)
- Vulnerabilities in upstream dependencies (report to the dependency maintainer; we monitor via
cargo auditin CI) - Feature requests or non-security bugs (use GitHub Issues)
| Version | Supported |
|---|---|
| 0.1.x (current) | Yes |
Only the latest release receives security patches. When a new minor or major version is released, the previous version receives security patches for 90 days, then support ends.
We credit security researchers in the CHANGELOG and release notes (unless you prefer to remain anonymous). We do not currently operate a bug bounty programme.
The following automated checks run on every push and pull request:
cargo audit— checks all dependencies against the RustSec Advisory Databasecargo clippy -- -D warnings— catches common correctness issuescargo nextest run— runs the full test suite including cryptographic verification tests
dpp-core uses the following cryptographic primitives:
| Purpose | Algorithm | Crate | Rationale |
|---|---|---|---|
| Passport signing | Ed25519 | ed25519-dalek |
ESPR-aligned, deterministic, fast, 128-bit security level |
| Field encryption | AES-256-GCM | aes-gcm |
Authenticated encryption for confidential passport fields |
| Hashing | SHA-256 | sha2 |
Content-addressable passport identifiers |
| Key derivation | N/A (direct key generation) | rand (OS entropy) |
Keys are generated, not derived from passwords |
No custom cryptography is implemented. All primitives are from audited, widely-used Rust crates.