Security policy
How to report a vulnerability
Do not open public GitHub issues for security vulnerabilities.
Email security@multivmlabs.com with:
- A description of the vulnerability.
- Steps to reproduce, or a proof of concept.
- Affected package(s) and version(s).
- Any potential impact assessment.
Response timeline
| Stage | Target |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 5 business days |
| Fix timeline | Severity-dependent; critical issues targeted within 14 days |
Disclosure
Coordinated disclosure with a 90-day window. Once a fix is released:
- Patched versions published to npm, crates.io, and PyPI.
- GitHub Security Advisory created.
- Reporter credited, unless they prefer anonymity.
Policy details
Scope
In scope:
- All packages in the
pq-*namespace in this repository. - All language implementations (TypeScript, Rust, Python).
- Build and CI/CD pipeline security.
- Cryptographic correctness issues (wrong output, standards non-compliance).
- Side-channel vulnerabilities in implementations.
- Key encoding errors that could lead to key confusion or misidentification.
Out of scope:
- Quantum random number generation or quantum hardware interaction.
- Security guarantees beyond what the underlying NIST standards provide.
- Security of higher-level protocols built on top of these packages (e.g., full TLS handshake security depends on more than just the PQ key exchange).
Supported versions
Security updates are provided for the latest published version of each package. Fixes are not backported to older major versions.
Audit status
Individual packages are audited as they reach production maturity. Packages marked "Audit: Pending" in the catalog are scheduled. Audit reports, once available, will be linked from the affected package's reference page.
Audit pending notice: Treat any package with an "audit pending" notice as a warning sign for high-stakes deployments until the audit is closed.