We provide security updates for the following versions:

We take security vulnerabilities seriously. If you discover a security vulnerability, please follow these steps:

Security vulnerabilities should be reported privately to protect users until a fix is available.

Please report security vulnerabilities using GitHub's Security Advisory feature:

1. Go to the repository's Security tab
2. Click Report a vulnerability
3. Fill out the security advisory form with details

Alternatively, you can open a private security advisory by:

• Creating a draft security advisory in the repository
• Or opening a private issue (if you have maintainer access)

Include the following information:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if you have one)
• Your contact information

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity, typically 30-90 days

• We will acknowledge receipt of your report
• We will keep you informed of our progress
• We will credit you in security advisories (unless you prefer to remain anonymous)
• We will coordinate public disclosure after a fix is available

• Always use the latest stable version
• Review and understand the security implications of zero-knowledge proofs
• Use RISC0_DEV_MODE=1 only for development/testing, never in production
• Verify proofs before trusting compliance claims
• Keep your RISC Zero toolchain updated

• Follow secure coding practices
• Review all dependencies for known vulnerabilities (cargo audit)
• Run security linters (cargo clippy)
• Never commit secrets or private keys
• Use constant-time operations for cryptographic code

• Dev Mode: RISC0_DEV_MODE=1 generates non-cryptographic proofs for testing only
  • ⚠️ NOT side-channel resistant - use only for development/testing
  • ⚠️ NOT cryptographically secure - do not use in production
• Real Proofs: Production use requires real zkVM proofs (10-20+ minutes generation time)
  • ✅ Uses RISC Zero's secure, audited implementation
  • ✅ Side-channel resistant
  • ✅ Cryptographically secure
• Verification: Always verify proofs cryptographically before trusting results

• C2PA signature verification is performed in the zkVM
• Tampered manifests will fail verification
• Invalid signatures are detected and reported
• Selective disclosure: Sensitive fields can be redacted via disclosed_fields in spec

• The guest program runs in an isolated zkVM environment
• Guest code is deterministic and verifiable
• No network access or side effects from guest execution
• Relies on RISC Zero's secure implementation for cryptographic operations

Note: See docs/SECURITY_REVIEW.md for complete security review and detailed analysis.

Current Status: Pre-audit dev version

• ✅ Internal security review completed (Phase 3)
• ✅ Dependency scanning completed (cargo audit)
• ✅ Fuzzing infrastructure in place
• ⏳ External audit pending (see docs/EXTERNAL_AUDIT_OPTIONS.md)

For Pilots: Use "Pre-audit dev version" disclaimer. External audit recommended before production contracts.

Security advisories will be published:

• In GitHub Security Advisories (automatically visible in the repository's Security tab)
• In release notes
• Via GitHub notifications to repository watchers

We appreciate the security research community's efforts to keep Project FUSE secure. Responsible disclosure helps protect all users.