Do not open a public GitHub issue for security vulnerabilities.
Instead, report by emailing the maintainers directly or via GitHub's private vulnerability reporting.
Include:
- Description of the issue
- Steps to reproduce
- Potential impact
- Any suggested fix if you have one
We'll respond within 7 days and coordinate a fix and disclosure timeline.
Security-relevant areas of this codebase:
- Hash computation in
ots/leaf.go— correctness of SHA-256 and canonical JSON - File reading in
ots/leaf.go— path traversal concerns - Shell-out in
ots/runner.go(stampOTS) — command injection viaOTS_CMDenv var
OTS_CMD is read from the environment and split on whitespace. Do not set it to untrusted input.