diff --git a/README.md b/README.md index 7a124b1..6448f23 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,6 @@ python3 test.py - **Optional persistence**: Keys can be saved to `client_keys/` directory for reuse across sessions - **Password protection**: Optional password encryption for private keys (recommended for production) - **Secure permissions**: Private keys stored with restricted permissions (600 - owner-only access) -- **Secure memory protection**: Plaintext payloads protected from disk swapping and memory lingering ### Secure Memory Protection diff --git a/SECURITY.md b/SECURITY.md index 3126b03..f5a2179 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,6 +25,7 @@ HTTP connections are vulnerable to man-in-the-middle attacks where an attacker c ### 2. Protect Private Keys **Password Protection:** + ```python # Generate keys with password protection await client.generate_keys(save_to_file=True, password="strong_password_here") @@ -34,6 +35,7 @@ await client.load_keys("client_keys/private_key.pem", password="strong_password_ ``` **File Permissions:** + - Private keys are automatically saved with 0600 permissions (owner read/write only) - Never commit private keys to version control - Add `client_keys/` to your `.gitignore` @@ -41,10 +43,12 @@ await client.load_keys("client_keys/private_key.pem", password="strong_password_ ### 3. Key Management **Key Rotation:** + - Regularly rotate RSA key pairs (recommended: every 90 days) - Generate new keys when changing environments (dev → staging → production) **Key Storage:** + - Store keys outside the project directory in production - Use environment variables or secrets management systems - Never hardcode keys in source code @@ -80,7 +84,8 @@ This will display warnings but allow the connection to proceed. ## Reporting Security Issues Report security vulnerabilities responsibly: -- Do NOT create public GitHub issues -- Contact: security@nomyo.ai + +- Do **NOT** create public GitHub issues, use "Report a vulnerability" function in Github instead! +- Contact: ichi@nomyo.ai - Include detailed vulnerability information -- Allow time for remediation before disclosure +- Allow time for remediation before disclosure. Thank you.