Skip to content

Security: didvc/simple-ots

Security

SECURITY.md

Security

Reporting a vulnerability

Do not open a public GitHub issue for security vulnerabilities.

Instead, report by emailing the maintainers directly or via GitHub's private vulnerability reporting.

Include:

  • Description of the issue
  • Steps to reproduce
  • Potential impact
  • Any suggested fix if you have one

We'll respond within 7 days and coordinate a fix and disclosure timeline.

Scope

Security-relevant areas of this codebase:

  • Hash computation in ots/leaf.go — correctness of SHA-256 and canonical JSON
  • File reading in ots/leaf.go — path traversal concerns
  • Shell-out in ots/runner.go (stampOTS) — command injection via OTS_CMD env var

OTS_CMD is read from the environment and split on whitespace. Do not set it to untrusted input.

There aren't any published security advisories