| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
We take security seriously. If you discover a security vulnerability, please report it responsibly:
Please do NOT:
- Open public issues for security bugs
- Discuss vulnerabilities in public forums
Please DO:
- Email security reports to: [security@truthcore.example.com]
- Include detailed reproduction steps
- Allow time for response before public disclosure
- Acknowledgment: Within 48 hours
- Assessment: Within 1 week
- Fix Development: Timeline based on severity
- Release: Coordinated disclosure with reporter
- Recognition: Public acknowledgment (with permission)
Truth Core implements defense in depth:
- Content-addressed storage (BLAKE2b, SHA256, SHA3)
- Ed25519 signatures for evidence bundles
- Tamper-evident manifests
- Path traversal protection
- JSON depth limits
- File size limits
- Safe archive extraction
- Markdown sanitization
- HTML escaping in reports
- Safe file preview
- No random or time-based behavior
- Stable sorting and ordering
- Reproducible outputs
- Signing Keys: Keep private keys secure
- Verification: Always verify signatures on published evidence
- Dependencies: Pin dependencies in production
- Updates: Keep up with security updates
- Signing keys generated securely
- Private keys stored in environment/secrets manager
- Verification enabled for evidence bundles
- Resource limits configured appropriately
- Audit logging enabled
- Dependencies scanned for vulnerabilities
Enable comprehensive logging:
import structlog
structlog.configure(
processors=[
structlog.processors.TimeStamper(fmt="iso"),
structlog.processors.JSONRenderer()
]
)Truth Core helps with:
- SOC 2: Evidence integrity and audit trails
- ISO 27001: Security policy enforcement
- GDPR: Data processing verification
| CVE / Issue | Version | Description | Fixed |
|---|---|---|---|
| None yet | - | - | - |
Last updated: 2026-01-31