Please do NOT open a public GitHub Issue for security vulnerabilities.

Go to Security → Report a vulnerability in this repository.

Email the maintainers directly with:

• Description of the vulnerability
• Steps to reproduce
• Impact assessment
• Any suggested fix

You will receive an acknowledgement within 48 hours and a resolution timeline within 7 days.

In scope:

• Cryptographic weaknesses (key derivation, encryption, Merkle verification)
• Authentication bypass in the REST API
• Data leakage or integrity failures
• Remote code execution via API inputs

Out of scope:

• Issues in upstream dependencies (report those upstream)
• Theoretical attacks with no practical exploit

We follow coordinated disclosure. Once a fix is ready we will:

1. Release a patched version
2. Publish a GitHub Security Advisory
3. Credit the reporter (unless they prefer anonymity)

No formal third-party audit has been conducted.

This is disclosed in the README, all release notes, and every post about this project. It means QUANTUM-PULSE is not yet recommended for protecting highly sensitive production data.

• CRYPTO_REVIEW.md — a single file documenting all cryptographic code, exact parameters, and specific open questions: CRYPTO_REVIEW.md
• Community review thread — open GitHub Discussion inviting public cryptographic review: Community Crypto Review — QUANTUM-PULSE v1.0.5
• Standard primitives only — PBKDF2-SHA256, HKDF, AES-256-GCM, SHA3-256 via PyCA cryptography library. No hand-rolled crypto.

If you are a cryptographer and willing to review the ~330 lines of crypto code, please see CRYPTO_REVIEW.md.