Currently supported versions for security updates:

We take security issues seriously. If you discover a security vulnerability in TechCompressor, please report it responsibly.

Please DO NOT create public GitHub issues for security vulnerabilities.

Instead, report security issues via:

1. Email: devaanshpathak@example.com

   • Subject: [SECURITY] TechCompressor Vulnerability Report
   • Include: Detailed description, steps to reproduce, impact assessment

2. GitHub Security Advisories (Preferred):

   • Visit: https://github.com/DevaanshPathak/TechCompressor/security/advisories
   • Click "Report a vulnerability"
   • Fill out the private advisory form

A good security report includes:

• Description: Clear summary of the vulnerability
• Impact: What can an attacker achieve?
• Affected Versions: Which versions are vulnerable?
• Steps to Reproduce: Detailed instructions to reproduce the issue
• Proof of Concept: Code or commands demonstrating the vulnerability
• Suggested Fix: (Optional) Proposed mitigation or patch
• Disclosure Timeline: Your expectations for public disclosure

We aim to respond to security reports within:

• 24-48 hours: Initial acknowledgment
• 7 days: Preliminary assessment and severity classification
• 30 days: Fix development and testing (for confirmed vulnerabilities)
• 90 days: Public disclosure (coordinated with reporter)

1. Confirmation: We confirm the vulnerability and assess severity
2. Fix Development: We develop and test a patch
3. Private Review: Reporter reviews the fix
4. Release: Security patch released as new version
5. Public Disclosure: CVE assigned (if applicable), advisory published
6. Credit: Reporter credited in CHANGELOG and security advisory (unless requested otherwise)

1. Use Strong Passwords:

   • Minimum 12 characters
   • Mix uppercase, lowercase, numbers, and symbols
   • Avoid dictionary words and personal information
   • Use a password manager (e.g., 1Password, Bitwarden, KeePassXC)

2. Password Storage:

   • NEVER store passwords in code or version control
   • Use environment variables or secure vaults
   • Do not share passwords via email or chat

3. No Password Recovery:

   • TechCompressor has no password recovery mechanism by design
   • Lost password = permanent data loss
   • Test password before long compression operations
   • Keep secure backups of passwords

1. Compression Pattern Leakage:

   • Compressed data reveals patterns even when encrypted
   • For highly sensitive data, consider encrypt-then-compress or specialized tools
   • TechCompressor uses compress-then-encrypt (standard but not perfect)

2. PBKDF2 Delay:

   • ~50-100ms key derivation is intentional for security
   • Do not "optimize away" this delay
   • Protects against brute-force attacks

3. Archive Security:

   • Encrypted archives protect both metadata and contents
   • Authentication tag prevents tampering
   • Verify password immediately after encryption

1. Archive Extraction:

   • Extract to known-safe directories only
   • Do not extract archives from untrusted sources without review
   • TechCompressor sanitizes paths, but review list_contents() first

2. Archive Creation:

   • Avoid creating archives inside source directory (triggers recursion error)
   • Be cautious with symlinks (rejected by default)

1. Input Validation:

   • Always validate user input (file paths, passwords, algorithm names)
   • Use Path.resolve() to canonicalize paths
   • Reject unexpected magic headers

2. Error Handling:

   • Do not leak sensitive information in error messages
   • Avoid exposing file paths in public errors
   • Log security events appropriately

3. Cryptography:

   • Use cryptography library (do not implement crypto primitives)
   • Always generate random salts and nonces
   • Never reuse nonces with the same key

4. Dependencies:

   • Keep cryptography library updated
   • Monitor security advisories: https://github.com/pyca/cryptography/security/advisories
   • Run pip-audit regularly to detect vulnerable dependencies

1. Security Test Coverage:

   • Path traversal attacks: tests/test_archiver.py
   • Wrong password detection: tests/test_crypto.py
   • Magic header validation: tests/test_integration.py
   • Symlink handling: tests/test_archiver.py

2. Fuzzing (Future):

   • Consider fuzzing compressed data parsing
   • Test archive format parser with malformed input
   • Stress-test encryption/decryption

Issue: Compressed data reveals patterns even when encrypted.

Impact: Attackers can infer information about plaintext by analyzing compressed ciphertext size and structure.

Mitigation:

• This is inherent to compress-then-encrypt schemes
• For maximum security, consider encrypt-then-compress workflows
• Alternatively, use specialized tools designed for encrypted archives (VeraCrypt, 7-Zip AES, etc.)

Status: Not a bug - architectural limitation documented in README and RELEASE_NOTES

Issue: 100,000 iterations is a balance between security and usability.

Impact: More iterations = better security but slower performance.

Configuration: Currently hardcoded. Future versions may allow tuning.

Recommendation: 100,000 is acceptable for v1.0.0. Monitor OWASP guidelines for future updates.

Issue: TechCompressor accepts any password (even weak ones).

Impact: Weak passwords are vulnerable to brute-force attacks.

Mitigation:

• User responsibility to choose strong passwords
• Consider adding password strength warnings in future versions
• Documentation emphasizes strong password requirements

Status: User education approach, may add UI warnings in future

TechCompressor v1.0.0 has not undergone formal third-party security audit.

• ✅ Use of industry-standard cryptography library (cryptography)
• ✅ Secure defaults (AES-256-GCM, PBKDF2 with 100K iterations)
• ✅ No custom crypto implementations
• ✅ Path traversal protection
• ✅ Comprehensive test coverage
• ⚠️ Pattern leakage limitation (documented)
• ⚠️ No password strength enforcement (user responsibility)

• Seek community security review
• Consider professional audit for v2.0.0
• Implement automated security scanning tools

No vulnerabilities disclosed for this version.

Last Updated: October 25, 2025
Contact: devaanshpathak@example.com