Starling is pre-1.0 and experimental. Only the latest main receives fixes.

Please do not open a public issue for an exploitable vulnerability.

Instead, use GitHub's private security advisory flow ("Report a vulnerability" on the Security tab), or contact the maintainers privately. We aim to acknowledge reports within 72 hours.

When reporting, please include:

• a description of the issue and its impact,
• steps to reproduce (a failing test or script is ideal),
• affected files/commit, and any suggested fix.

Before reporting, please read docs/THREAT_MODEL.md. Several properties are documented non-goals in v1 and are not vulnerabilities:

• No anonymity / metadata privacy (peer ids and IPs are visible on the link).
• No forward secrecy for encrypted channels (a leaked passphrase exposes history).
• No Sybil resistance (identities are free to create).
• Proof-of-work mitigates but does not eliminate flooding.

Reports that strengthen the actual guarantees (integrity, authenticity, the encryption implementation, parsing/DoS hardening) are very welcome.