From 01335c64b0ae119230c0cf48cdb82e7ffbcd14e9 Mon Sep 17 00:00:00 2001 From: alpha-nerd-nomyo Date: Sat, 17 Jan 2026 11:12:40 +0100 Subject: [PATCH] docs: enhancement and clarification --- README.md | 1 - SECURITY.md | 11 ++++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 7a124b1..6448f23 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,6 @@ python3 test.py - **Optional persistence**: Keys can be saved to `client_keys/` directory for reuse across sessions - **Password protection**: Optional password encryption for private keys (recommended for production) - **Secure permissions**: Private keys stored with restricted permissions (600 - owner-only access) -- **Secure memory protection**: Plaintext payloads protected from disk swapping and memory lingering ### Secure Memory Protection diff --git a/SECURITY.md b/SECURITY.md index 3126b03..f5a2179 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -25,6 +25,7 @@ HTTP connections are vulnerable to man-in-the-middle attacks where an attacker c ### 2. Protect Private Keys **Password Protection:** + ```python # Generate keys with password protection await client.generate_keys(save_to_file=True, password="strong_password_here") @@ -34,6 +35,7 @@ await client.load_keys("client_keys/private_key.pem", password="strong_password_ ``` **File Permissions:** + - Private keys are automatically saved with 0600 permissions (owner read/write only) - Never commit private keys to version control - Add `client_keys/` to your `.gitignore` @@ -41,10 +43,12 @@ await client.load_keys("client_keys/private_key.pem", password="strong_password_ ### 3. Key Management **Key Rotation:** + - Regularly rotate RSA key pairs (recommended: every 90 days) - Generate new keys when changing environments (dev → staging → production) **Key Storage:** + - Store keys outside the project directory in production - Use environment variables or secrets management systems - Never hardcode keys in source code @@ -80,7 +84,8 @@ This will display warnings but allow the connection to proceed. ## Reporting Security Issues Report security vulnerabilities responsibly: -- Do NOT create public GitHub issues -- Contact: security@nomyo.ai + +- Do **NOT** create public GitHub issues, use "Report a vulnerability" function in Github instead! +- Contact: ichi@nomyo.ai - Include detailed vulnerability information -- Allow time for remediation before disclosure +- Allow time for remediation before disclosure. Thank you.