Security - Drasil

Drasil takes the security of our software and users' data seriously. This page outlines how to report security vulnerabilities and our responsible disclosure process.

Please do not report security vulnerabilities through public GitHub issues. Public disclosure can put users at risk before a fix is available.

Reporting Security Issues

If you believe you have found a security vulnerability in any Drasil-owned repository, please report it to us via email:

security@drasil.co

What to Include

To help us better understand the nature and scope of the issue, please include the following information:

Type of issue (e.g., cryptographic weakness, smart contract vulnerability, data exposure)
Full paths of source file(s) related to the manifestation of the issue
The location of the affected source code (tag/branch/commit or direct URL)
Any special configuration required to reproduce the issue
Step-by-step instructions to reproduce the issue
Proof-of-concept or exploit code (if possible)
Impact of the issue, including how an attacker might exploit it
Your assessment of the severity (Critical, High, Medium, Low)

Response Time

You should receive an initial response within 72 hours acknowledging receipt of your report. If you do not receive a response, please follow up to ensure we received your message.

We aim to provide updates on our progress at least every 7 days until the issue is resolved.

Disclosure Policy

Drasil follows the principle of Coordinated Vulnerability Disclosure:

Researchers privately report vulnerabilities to us
We acknowledge receipt and begin investigation
We work to validate, fix, and test the vulnerability
We release a patch or mitigation
We publicly disclose the vulnerability with appropriate credit to the researcher

We request that you allow us 90 days from the date of report acknowledgment to address the vulnerability before any public disclosure. Extensions may be granted for complex issues.

Scope

The following are in scope for security reports:

Smart contract vulnerabilities in Drasil contracts
Cryptographic weaknesses in the PRE (Proxy Re-Encryption) implementation
Client-side data handling in the CLI
API or integration vulnerabilities
Infrastructure vulnerabilities affecting drasil.co

The following are not in scope:

Social engineering attacks
Physical security issues
Third-party services or dependencies (unless exploitable through Drasil)
Issues in test code or example configurations
Missing security headers that do not lead to direct exploitation

Bug Bounty

At this time, Drasil does not have a formal bug bounty program. However, we deeply appreciate the efforts of security researchers and will provide public recognition (with your consent) for responsibly disclosed vulnerabilities.

Security Best Practices

For Users

Always download the CLI from official sources (GitHub releases)
Verify cryptographic checksums when available
Keep your encryption keys secure and backed up
Be cautious when sharing profiles with unknown parties

For Developers

Review our security testing documentation
Run the full test suite before submitting changes
Be mindful of cryptographic operations and key handling
Follow the principle of least privilege in smart contract design

PGP Key

For sensitive communications, you may encrypt your message using our PGP key. Fingerprint and download link to be added.

← Back to Home