Current GA: TBD (RC: v2026.01.04-rc1)

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to prevent exploitation.

Email: security@logline.world

Subject: [SIRP Security] Brief description

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)
• Your contact information

If you prefer encrypted communication, use our GPG key:

# Fetch public key
gpg --keyserver keys.openpgp.org --recv-keys <KEY_ID>

# Encrypt your report
gpg --encrypt --armor --recipient <KEY_ID> your-report.txt

GPG Key ID: TBD (to be published)

• Triage: Within 48 hours
• Confirmation: Within 5 business days
• Fix Coordination: Depends on severity
• Disclosure: Coordinated with reporter

• Critical (P0): Remote code execution, authentication bypass, data exfiltration
• High (P1): Privilege escalation, denial of service, data corruption
• Medium (P2): Information disclosure, limited DoS
• Low (P3): Minor information leakage, configuration issues

All release artifacts include:

• SHA256 checksums: Required for all artifacts
• SBOM (Software Bill of Materials): Attached to releases
• Signatures: Optional (minisign/cosign) for additional verification

# Download artifact and checksum
wget https://github.com/LogLine-Foundation/SIRP/releases/download/v2026.01.04-rc1/sirp-unified-2026.01.04-rc1.zip
wget https://github.com/LogLine-Foundation/SIRP/releases/download/v2026.01.04-rc1/sirp-unified-2026.01.04-rc1.zip.sha256

# Verify checksum
shasum -a 256 -c sirp-unified-2026.01.04-rc1.zip.sha256

Expected SHA256 for v2026.01.04-rc1: 47871baa48c6c99d92840160fcf193cece245e10634052a4aeb6db87b2abdf60

# Minisign verification
minisign -V -m sirp-unified-2026.01.04-rc1.zip \
  -p <public-key> \
  -x sirp-unified-2026.01.04-rc1.zip.minisig

# Cosign verification (if available)
cosign verify-blob --certificate-identity <identity> \
  --certificate-oidc-issuer <issuer> \
  --signature <signature-file> \
  sirp-unified-2026.01.04-rc1.zip

1. Always verify checksums before using release artifacts
2. Use signed releases when available
3. Keep dependencies updated (check SBOM for known vulnerabilities)
4. Report vulnerabilities responsibly

1. Follow secure coding practices
2. Review dependencies for known vulnerabilities
3. Run security scans (cargo audit, cargo deny)
4. Keep secrets out of code (use GitHub Secrets)

Security advisories will be published at:

• GitHub Security Advisories: https://github.com/LogLine-Foundation/SIRP/security/advisories
• Release notes (for non-critical issues)

We appreciate responsible disclosure. Security researchers who report valid vulnerabilities will be acknowledged (with permission) in:

• Release notes
• Security advisories
• Project documentation

• GitHub Security Policy
• Rust Security Advisory Database
• CVE Database