Security Policy
Our Commitment
The security of cryptographer.js is of paramount importance to us. We take all security vulnerabilities seriously and are committed to addressing them promptly and transparently.
Supported Versions
We currently support the following versions of cryptographer.js with security updates:
1.x.x
✅
< 1.0
❌
Cryptographic Standards
Algorithms Implemented
All cryptographic algorithms in cryptographer.js are implemented using:
Industry-standard specifications (FIPS, RFC, NIST)
Well-vetted Rust cryptography crates from the RustCrypto organization
Memory-safe implementations to prevent buffer overflows and memory corruption
Constant-time operations where applicable to prevent timing attacks
Hash Functions
SHA-1
RFC 3174
RustCrypto/sha1
⚠️ Legacy only
SHA-256
FIPS 180-4
RustCrypto/sha2
✅ Recommended
SHA-512
FIPS 180-4
RustCrypto/sha2
✅ Recommended
SHA3-256
FIPS 202
RustCrypto/sha3
✅ Recommended
SHA3-512
FIPS 202
RustCrypto/sha3
✅ Recommended
MD5
RFC 1321
RustCrypto/md5
⚠️ Legacy only
MD4
RFC 1320
RustCrypto/md4
⚠️ Legacy only
BLAKE2b
RFC 7693
RustCrypto/blake2
✅ Recommended
BLAKE2s
RFC 7693
RustCrypto/blake2
✅ Recommended
BLAKE3
-
blake3-team/BLAKE3
✅ Recommended
Cipher Functions
AES-128
CBC, ECB, CTR
FIPS 197
RustCrypto/aes
✅ Recommended
AES-192
CBC, ECB, CTR
FIPS 197
RustCrypto/aes
✅ Recommended
AES-256
CBC, ECB, CTR
FIPS 197
RustCrypto/aes
✅ Recommended
Key Derivation Functions
PBKDF2
RFC 2898
RustCrypto/pbkdf2
✅ Recommended
Argon2id
RFC 9106
RustCrypto/argon2
✅ Recommended
Argon2i
RFC 9106
RustCrypto/argon2
✅ Recommended
Argon2d
RFC 9106
RustCrypto/argon2
⚠️ Use with caution
bcrypt
-
RustCrypto/bcrypt
✅ Recommended
Security Best Practices
For Users
Use Strong Parameters
Use recommended iterations for PBKDF2 (≥100,000)
Use appropriate memory cost for Argon2 (≥4MB)
Use sufficient bcrypt rounds (≥10)
Generate Secure Random Values
Choose Appropriate Algorithms
Prefer SHA-256/SHA-512 over SHA-1
Prefer BLAKE2/BLAKE3/SHA-3 for new applications
Avoid MD4/MD5 except for legacy compatibility
Use Argon2id for password hashing
Use AES-256 with CBC or CTR mode
Validate Input Parameters
Handle Errors Securely
Don't expose sensitive information in error messages
Use constant-time comparison for authentication
For Developers
Secure Development Practices
Never hardcode cryptographic keys
Use secure random number generation
Clear sensitive data from memory when possible
Validate all inputs before processing
Testing Security
Test with known attack vectors
Verify against test vectors from standards
Test edge cases and error conditions
Benchmark for timing attack resistance
Known Limitations
Side-Channel Attacks
While we implement constant-time operations where possible, WebAssembly and JavaScript environments may introduce timing variations
Consider your threat model when using in security-critical applications
Memory Security
JavaScript and WebAssembly cannot guarantee secure memory clearing
Sensitive data may remain in memory longer than expected
Random Number Generation
This library does not provide random number generation
Users must provide their own secure random values for salts, IVs, and keys
Reporting a Vulnerability
How to Report
DO NOT create a public GitHub issue for security vulnerabilities. Instead:
Email: Send detailed information to wilsontran@ronus.io
Subject Line:
[SECURITY] cryptographer.js vulnerability reportInclude:
Description of the vulnerability
Steps to reproduce
Potential impact
Suggested fix (if any)
Your contact information
What to Expect
Acknowledgment: Within 48 hours of your report
Initial Assessment: Within 1 week
Regular Updates: Every week until resolution
Disclosure Timeline: 90 days from initial report (negotiable)
Our Response Process
Confirmation: We'll confirm the vulnerability and assess its severity
Fix Development: We'll develop and test a fix
Coordinated Disclosure: We'll work with you on disclosure timing
Release: We'll release a security update
Public Disclosure: We'll publish a security advisory
Severity Classification
We use the following severity levels:
Critical: Remote code execution, cryptographic bypass
High: Local privilege escalation, key recovery
Medium: Information disclosure, denial of service
Low: Minor issues with limited impact
Bug Bounty
While we don't currently offer a formal bug bounty program, we deeply appreciate security researchers who help improve our security. We will:
Acknowledge your contribution in our security advisories
Provide you with early access to fixes for testing
Consider you for our contributors list
Security Advisories
Published security advisories will be available at:
GitHub Security Advisories: https://github.com/wstran/cryptographer/security/advisories
npm Security: https://www.npmjs.com/advisories
Compliance and Certifications
Standards Compliance
FIPS 140-2: Algorithms implemented follow FIPS-approved specifications
Common Criteria: Design follows security principles outlined in CC
NIST Guidelines: Implementation follows NIST cryptographic recommendations
Third-Party Security
Dependencies: All Rust dependencies are from reputable sources (primarily RustCrypto)
Audits: We encourage third-party security audits and will publish results
Vulnerability Scanning: Regular automated scanning for known vulnerabilities
Security Resources
For Further Reading
Contact Information
Security Email: wilsontran@ronus.io
General Contact: wilsontran@ronus.io
GitHub: https://github.com/wstran/cryptographer
Last updated: 2024 This security policy is a living document and will be updated as needed.
Last updated