Skip to content

Security: rustakka/atomr-dledger

Security

SECURITY.md

Security Policy

Reporting a vulnerability

Please email security@atomr.dev with a description of the issue. We acknowledge within 72 hours.

Threat model

atomr-dledger is built under a "Harvest Now, Decrypt Later" threat model. The key invariants we defend:

  1. Data confidentiality survives a quantum break. All data-at-rest is wrapped under ML-KEM-1024. All data-in-transit uses the X25519MLKEM768 hybrid KEM group. A future quantum capability does not retroactively decrypt today's traffic or storage.
  2. Signatures fail safely. Hot keys are Ed25519; cold keys are ML-DSA-65 (Dilithium-5). High-value operations require the cold key. A break in the hot key can only damage one identity rotation window.
  3. Floating-point non-determinism cannot frame an honest node. Fraud-proof comparisons run over a canonicalised trace per ADR-0008. Two honest replicas that disagree within the model's declared precision bucket are not slashed.
  4. The right to be forgotten is cryptographic. Crypto-shredding (atomr-dledger-provenance::ShredRegistry) destroys the wrapped DEK; the ciphertext remains in immutable history but is mathematically irrecoverable. Backups of the ciphertext are safe only if every backup also lost the wrapped DEK.

Out of scope

  • Bugs in atomr upstream — please file against https://github.com/rustakka/atomr instead.
  • Bugs in third-party crates referenced by us — please file upstream and copy us.
  • Speculation about Phase 4/5 (RV11–RV16) aspirational traits — the Mock/Allow defaults are intentionally permissive per ADR-0004. Real implementations are not part of v1.0.

There aren't any published security advisories