PEAC Protocol takes security seriously. If you discover a security vulnerability, please report it responsibly.
Email: security@peacprotocol.org
Please include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested remediation (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Fix timeline: Depends on severity
PEAC policy files (peac.txt) are public by design. Do not include:
- Private keys or secrets
- Personally identifiable information
- Internal system details
- Always use HTTPS in production
- Validate SSL certificates
- Implement appropriate timeouts
When implementing PEAC parsers:
- Validate all input against the schema
- Set reasonable size limits
- Handle malformed content gracefully
- Avoid recursive parsing vulnerabilities
If using signed policies:
- Verify signatures before trusting content
- Use established cryptographic libraries
- Rotate keys periodically
- Store private keys securely
- Serve peac.txt over HTTPS only
- Set appropriate cache headers
- Monitor access logs for anomalies
- Keep policies simple and minimal
- Validate all parsed content
- Implement request rate limiting
- Use timeouts for network requests
- Log security-relevant events
- Verify the authenticity of PEAC implementations
- Check policy details before granting access
- Report suspicious behavior
- Policy files are public and can be read by anyone
- No built-in encryption for policy content
- Enforcement depends on implementation compliance
Security updates will be announced via:
- GitHub security advisories
- Project mailing list (when established)
- CHANGELOG.md notes