Last Updated: 2026-03-18 Audit Version: 1.0
β Core Protocol: SECURE π΄ Python Bindings: Requires Attention
Affected Component: pap-python crate (Python bindings)
CVE: Not yet assigned
CVSS Score: TBD (estimated 7.5 - HIGH)
Buffer overflow risk in PyString::from_object method in pyo3 versions < 0.24.1. This vulnerability affects the Python bindings only - the core Rust protocol implementation is NOT affected.
- Scope: Python bindings (
pap-python) ONLY - Core Protocol: β NOT AFFECTED
- Rust Users: β NOT AFFECTED
- Python Users: β FIXED (pyo3 upgraded to 0.24+)
# COMPLETED - pap-python/Cargo.toml
[dependencies]
pyo3 = { version = "0.24", features = ["extension-module", "abi3-py38"] }- Discovered: 2026-03-18 (via cargo-audit)
- Fixed: 2026-03-18 (pyo3 upgraded, all deprecations fixed)
- Status: β RESOLVED
- Verification:
cargo check --package pap-python- zero warnings
Affected Component: pap-transport, pap-federation (via reqwest)
Severity: LOW
The rustls-pemfile dependency (used transitively via reqwest) is no longer actively maintained. No known exploits exist.
- No immediate security risk
- May lack future security patches
- Monitor for maintained replacement
- Consider updating reqwest to version that uses alternative
- Track: https://github.com/rustls/pemfile/issues
- TLS Required: Always use HTTPS for
pap-transport(PAP does not implement TLS) - Key Management: Store Ed25519 private keys securely (HSM, encrypted storage)
- Nonce Tracking: Maintain persistent nonce consumed set to prevent replay attacks
- Mandate Validation: Always verify mandate chains before trusting delegated agents
- Audit Receipts: Regularly review transaction receipts for anomalies
- Dependencies: Run
cargo auditbefore releases - Testing: All crypto code has >90% test coverage
- Fuzzing: Consider fuzzing signature verification and disclosure hashing
- Code Review: All PRs require review for crypto changes
- Static Analysis: CI enforces zero Clippy warnings
DO NOT open public GitHub issues for security vulnerabilities.
Email: security@baur.software PGP Key: (TODO: add PGP key)
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if available)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 1 week
- Fix Development: Depends on severity (critical: <48h, high: <1 week)
- Public Disclosure: After fix is released (coordinated disclosure)
| Date | Auditor | Scope | Findings | Report |
|---|---|---|---|---|
| 2026-03-18 | Claude Code (Sonnet 4.5) | Full codebase | 1 vuln, 1 warning | AUDIT_REPORT.md |
β Ed25519 Signature Verification: All mandates, tokens, receipts cryptographically signed β Nonce Replay Prevention: Single-use tokens via nonce tracking β Mandate Chain Integrity: Hash-linked, scope/TTL constraints enforced β Selective Disclosure: SD-JWT with hash commitments (unlinkability) β Receipt Immutability: Co-signed by both parties, append-only
β Transport Security: You must use HTTPS/TLS β Key Storage: You must secure private keys β Payment Anonymity: Relies on external ecash systems (Chaumian mints) β DID Resolution: You must implement DID lookup (we only use did:key)
| Crate | Version | Security Notes |
|---|---|---|
| ed25519-dalek | 2.2 | β Industry standard, actively maintained |
| sha2 | 0.10 | β FIPS 180-4 compliant |
| chrono | 0.4 | β No known CVEs |
| axum | 0.8 | β Memory-safe HTTP framework |
| reqwest | 0.12.12 | β Pinned, secure version |
| pyo3 | 0.22.6 | π΄ UPGRADE TO 0.24.1 |
| rustls-pemfile | 2.2.0 |
- Critical vulnerabilities: Patch within 48 hours
- High severity: Patch within 1 week
- Medium/Low severity: Include in next minor release
- Dependency updates: Monthly
cargo update+ audit
Security Team: security@baur.software General Issues: https://github.com/Baur-Software/pap/issues Audit Requests: Reach out via email for professional audits
This document is part of the Principal Agent Protocol (PAP) security documentation. For technical details, see AUDIT_REPORT.md