SECURITY.md

# Security Policy

## Supported Versions

As an early-stage project (version 0.x.y), security support is limited to the latest development version.

| Version | Supported          |
| ------- | ------------------ |
| mainline branch | :white_check_mark: |
| 0.1.x   | :white_check_mark: |
| < 0.1.0 | :x:                |

## Security Maturity

**Marathon is currently in early development (0.1.x) and is NOT recommended for production use or handling sensitive data.**

Security considerations for the current release:

- ⚠️ **Network protocol** is not hardened against malicious peers
- ⚠️ **Authentication** is not yet implemented
- ⚠️ **Encryption** is provided by QUIC but not verified against attacks
- ⚠️ **Authorization** is not implemented
- ⚠️ **Data validation** is basic and not audited
- ⚠️ **Persistence layer** stores data unencrypted locally

**Use Marathon only in trusted development environments with non-sensitive data.**

## Reporting a Vulnerability

We take security issues seriously. If you discover a security vulnerability in Marathon, please help us address it responsibly.

### How to Report

**Please DO NOT report security vulnerabilities through public GitHub issues.**

Instead, report vulnerabilities by:

1. **Email**: Send details to sienna@linux.com
2. **Subject line**: Include "SECURITY" and a brief description
3. **Include**:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if you have one)

### What to Expect

After you submit a report:

1. **Acknowledgment**: We'll confirm receipt within 48 hours
2. **Assessment**: We'll evaluate the severity and impact within 5 business days
3. **Updates**: We'll keep you informed of our progress
4. **Resolution**: We'll work on a fix and coordinate disclosure timing with you
5. **Credit**: We'll acknowledge your contribution (unless you prefer to remain anonymous)

### Disclosure Timeline

- **Critical vulnerabilities**: Aim to fix within 30 days
- **High severity**: Aim to fix within 60 days
- **Medium/Low severity**: Addressed in regular development cycle

We'll coordinate public disclosure timing with you after a fix is available.

## Security Best Practices

If you're using Marathon (keeping in mind it's not production-ready):

### For Development

- **Use isolated networks** for testing
- **Don't use real user data** or sensitive information
- **Don't expose to the internet** without additional security layers
- **Keep dependencies updated** with `cargo update`
- **Review security advisories** for Rust crates you depend on

### For Deployment (Future)

Once Marathon reaches production readiness, we plan to implement:

- End-to-end encryption for all peer communications
- Peer authentication and authorization
- Encrypted local storage
- Rate limiting and DoS protection
- Security audit trail
- Regular security audits

### Known Security Gaps

Current known limitations (to be addressed before 1.0):

- **No peer authentication** - Any peer can join a session
- **No authorization system** - All peers have full permissions
- **No encrypted storage** - Local SQLite database is unencrypted
- **Limited input validation** - CRDT operations trust peer input
- **No audit logging** - Actions are not logged for security review
- **Network protocol not hardened** - Vulnerable to malicious peers

## Security Contact

For security-related questions or concerns:

- **Email**: sienna@linux.com
- **Response time**: Within 48 hours for initial contact

## Security Advisories

Security advisories will be published:

- In GitHub Security Advisories
- In release notes
- In this SECURITY.md file

Currently, there are no published security advisories.

## Responsible Disclosure

We believe in responsible disclosure and request that you:

- Give us reasonable time to address issues before public disclosure
- Make a good faith effort to avoid privacy violations and service disruption
- Don't exploit vulnerabilities beyond demonstrating the issue
- Don't access or modify data that doesn't belong to you

In return, we commit to:

- Respond promptly to your report
- Keep you informed of our progress
- Credit you for your discovery (if desired)
- Not pursue legal action for good faith security research

## Additional Resources

- [Rust Security Advisory Database](https://rustsec.org/)
- [cargo-audit](https://github.com/RustSec/rustsec/tree/main/cargo-audit) - Audit Rust dependencies
- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Common web application security risks

## Version History

- **2026-02-06**: Initial security policy for v0.1.0 release

---

**Thank you for helping keep Marathon and its users safe!**
chore(release): final release commit for 0.1.0 this commit includes a whole lotta fuck yeah, a whole lotta we fuckin got this, and a lot of "please change the future." i hope it works. Signed-off-by: Sienna Meridian Satterwhite <sienna@r3t.io> 2026-02-06 20:10:51 +00:00			`# Security Policy`

			`## Supported Versions`

			`As an early-stage project (version 0.x.y), security support is limited to the latest development version.`

			`\| Version \| Supported \|`
			`\| ------- \| ------------------ \|`
			`\| mainline branch \| :white_check_mark: \|`
			`\| 0.1.x \| :white_check_mark: \|`
			`\| < 0.1.0 \| :x: \|`

			`## Security Maturity`

			`Marathon is currently in early development (0.1.x) and is NOT recommended for production use or handling sensitive data.`

			`Security considerations for the current release:`

			`- ⚠️ Network protocol is not hardened against malicious peers`
			`- ⚠️ Authentication is not yet implemented`
			`- ⚠️ Encryption is provided by QUIC but not verified against attacks`
			`- ⚠️ Authorization is not implemented`
			`- ⚠️ Data validation is basic and not audited`
			`- ⚠️ Persistence layer stores data unencrypted locally`

			`Use Marathon only in trusted development environments with non-sensitive data.`

			`## Reporting a Vulnerability`

			`We take security issues seriously. If you discover a security vulnerability in Marathon, please help us address it responsibly.`

			`### How to Report`

			`Please DO NOT report security vulnerabilities through public GitHub issues.`

			`Instead, report vulnerabilities by:`

			`1. Email: Send details to sienna@linux.com`
			`2. Subject line: Include "SECURITY" and a brief description`
			`3. Include:`
			`- Description of the vulnerability`
			`- Steps to reproduce`
			`- Potential impact`
			`- Suggested fix (if you have one)`

			`### What to Expect`

			`After you submit a report:`

			`1. Acknowledgment: We'll confirm receipt within 48 hours`
			`2. Assessment: We'll evaluate the severity and impact within 5 business days`
			`3. Updates: We'll keep you informed of our progress`
			`4. Resolution: We'll work on a fix and coordinate disclosure timing with you`
			`5. Credit: We'll acknowledge your contribution (unless you prefer to remain anonymous)`

			`### Disclosure Timeline`

			`- Critical vulnerabilities: Aim to fix within 30 days`
			`- High severity: Aim to fix within 60 days`
			`- Medium/Low severity: Addressed in regular development cycle`

			`We'll coordinate public disclosure timing with you after a fix is available.`

			`## Security Best Practices`

			`If you're using Marathon (keeping in mind it's not production-ready):`

			`### For Development`

			`- Use isolated networks for testing`
			`- Don't use real user data or sensitive information`
			`- Don't expose to the internet without additional security layers`
			- Keep dependencies updated with `cargo update`
			`- Review security advisories for Rust crates you depend on`

			`### For Deployment (Future)`

			`Once Marathon reaches production readiness, we plan to implement:`

			`- End-to-end encryption for all peer communications`
			`- Peer authentication and authorization`
			`- Encrypted local storage`
			`- Rate limiting and DoS protection`
			`- Security audit trail`
			`- Regular security audits`

			`### Known Security Gaps`

			`Current known limitations (to be addressed before 1.0):`

			`- No peer authentication - Any peer can join a session`
			`- No authorization system - All peers have full permissions`
			`- No encrypted storage - Local SQLite database is unencrypted`
			`- Limited input validation - CRDT operations trust peer input`
			`- No audit logging - Actions are not logged for security review`
			`- Network protocol not hardened - Vulnerable to malicious peers`

			`## Security Contact`

			`For security-related questions or concerns:`

			`- Email: sienna@linux.com`
			`- Response time: Within 48 hours for initial contact`

			`## Security Advisories`

			`Security advisories will be published:`

			`- In GitHub Security Advisories`
			`- In release notes`
			`- In this SECURITY.md file`

			`Currently, there are no published security advisories.`

			`## Responsible Disclosure`

			`We believe in responsible disclosure and request that you:`

			`- Give us reasonable time to address issues before public disclosure`
			`- Make a good faith effort to avoid privacy violations and service disruption`
			`- Don't exploit vulnerabilities beyond demonstrating the issue`
			`- Don't access or modify data that doesn't belong to you`

			`In return, we commit to:`

			`- Respond promptly to your report`
			`- Keep you informed of our progress`
			`- Credit you for your discovery (if desired)`
			`- Not pursue legal action for good faith security research`

			`## Additional Resources`

			`- [Rust Security Advisory Database](https://rustsec.org/)`
			`- [cargo-audit](https://github.com/RustSec/rustsec/tree/main/cargo-audit) - Audit Rust dependencies`
			`- [OWASP Top 10](https://owasp.org/www-project-top-ten/) - Common web application security risks`

			`## Version History`

			`- 2026-02-06: Initial security policy for v0.1.0 release`

			`---`

			`Thank you for helping keep Marathon and its users safe!`