# SECURITY

## Security Policy for EVE

We take security seriously. We appreciate the community's efforts in identifying and responsibly disclosing potential security vulnerabilities.

## Reporting a Vulnerability

If you believe you've found a security vulnerability in EVE, please report it to us privately using one of these methods:

### Option 1: Encrypted Nostr DM

Send a NIP-44 encrypted direct message to:

```
npub1ven4zk8xxw873876gx8y9g9l9fazkye9qnwnglcptgvfwxmygscqsxddfh
```

### Option 2: Email with PGP Encryption

Send an encrypted email to `danny@arx-ccn.com` using the following PGP key:

```
-----BEGIN PGP PUBLIC KEY BLOCK-----

xjMEZVPfuBYJKwYBBAHaRw8BAQdA4zXdIpn1sxtUekC5KNUZB4ooaTTdE+7WfIL6
m3DV/dzNIkRhbm55IE1vcmFiaXRvIDxkYW5ueUBhcngtY2NuLmNvbT7CjwQTFggA
NxYhBPl51bOOAki9ZNroKXzIBWpaBFV+BQJlU9+4BQkFo5qAAhsDBAsJCAcFFQgJ
CgsFFgIDAQAACgkQfMgFaloEVX5prgEAtIckL9dtUrqBvkMD3b/qJLiDtEK1u9iU
/1LlDexi0hABAK3uKIVyPqxJKQ5jOAFb0bta9QexBsfTbzZLSbrZR4UDzjgEZVPf
uBIKKwYBBAGXVQEFAQEHQNFXMjAbVS5dQQ17EHM39VvvF3HKeqBoq0peKIYSpjs3
AwEIB8J+BBgWCAAmFiEE+XnVs44CSL1k2ugpfMgFaloEVX4FAmVT37gFCQWjmoAC
GwwACgkQfMgFaloEVX7VIAEA0pT6Ih7XTym0VNEndQw8Fytfn97JT13N+S9CumpO
qQEBALEPtcimm4t7RZDlZCk0I/V/4eLnPf94w8MCDOKae3wG
=K8X3
-----END PGP PUBLIC KEY BLOCK-----
```

## What to Include in Your Report

Please include the following information in your vulnerability report:

1. Description of the vulnerability
2. Steps to reproduce
3. Potential impact
4. Any suggested mitigations (if applicable)
5. Whether you'd like to be credited for the discovery

## Vulnerability Severity Classification

We classify vulnerabilities according to the following severity levels:

| Severity     | Description                                                                                                            |
| ------------ | ---------------------------------------------------------------------------------------------------------------------- |
| **Critical** | Vulnerabilities that can lead to system compromise, unauthorized access to CCN data, or significant service disruption |
| **High**     | Vulnerabilities that can lead to partial service disruption                                                            |
| **Medium**   | Vulnerabilities that may expose non-sensitive information or affect functionality in a limited way                     |
| **Low**      | Minor issues with minimal security impact                                                                              |

Please include your assessment of the severity in your report.

## Responsible Disclosure Policy

- We will acknowledge receipt of your vulnerability report within 72 hours.
- We will provide an initial assessment of the report within 7 days.
- We will work diligently to verify and address the reported issue, prioritizing based on severity.
- We request that you do not publicly disclose the vulnerability until we've had adequate time to address it.
- After 60 days from acknowledgment, if we haven't addressed the issue, you may disclose it publicly.

## Scope

This security policy applies to the following official EVE repositories and components:

- Main EVE application: https://git.arx-ccn.com/Arx/Eve
- EVE Relay: https://git.arx-ccn.com/Arx/Eve-Relay
- All published Arxlets (Phora, Nexus, etc.)

### Out of Scope

- Third-party integrations not maintained by the Arx team
- Community forks not officially supported by the Arx team
- Issues already publicly disclosed or previously reported

## Security Updates

Security updates will be released as soon as possible after verification and remediation, with priority given to Critical and High severity issues. We will provide information about the vulnerability and the fix in release notes.

## Recognition

We believe in recognizing the valuable contributions of security researchers. With your permission, we will acknowledge your contribution in our release notes and CONTRIBUTORS.md file.

Thank you for helping keep EVE and its users secure!