studio/marathon
2
0
Fork 0
Code Issues 121 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
v0.1.0
marathon/SECURITY.md
Sienna Meridian Satterwhite fdba3903cc chore(release): final release commit for 0.1.0 
this commit includes a whole lotta fuck yeah, a whole lotta we fuckin
got this, and a lot of "please change the future."

i hope it works.

Signed-off-by: Sienna Meridian Satterwhite <sienna@r3t.io>
2026-02-06 20:10:51 +00:00

4.6 KiB
Raw Permalink Blame History

Security Policy

Supported Versions

As an early-stage project (version 0.x.y), security support is limited to the latest development version.

Version Supported
mainline branch
0.1.x
< 0.1.0

Security Maturity

Marathon is currently in early development (0.1.x) and is NOT recommended for production use or handling sensitive data.

Security considerations for the current release:

  • ⚠️ Network protocol is not hardened against malicious peers
  • ⚠️ Authentication is not yet implemented
  • ⚠️ Encryption is provided by QUIC but not verified against attacks
  • ⚠️ Authorization is not implemented
  • ⚠️ Data validation is basic and not audited
  • ⚠️ Persistence layer stores data unencrypted locally

Use Marathon only in trusted development environments with non-sensitive data.

Reporting a Vulnerability

We take security issues seriously. If you discover a security vulnerability in Marathon, please help us address it responsibly.

How to Report

Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, report vulnerabilities by:

  1. Email: Send details to sienna@linux.com
  2. Subject line: Include "SECURITY" and a brief description
  3. Include:
    • Description of the vulnerability
    • Steps to reproduce
    • Potential impact
    • Suggested fix (if you have one)

What to Expect

After you submit a report:

  1. Acknowledgment: We'll confirm receipt within 48 hours
  2. Assessment: We'll evaluate the severity and impact within 5 business days
  3. Updates: We'll keep you informed of our progress
  4. Resolution: We'll work on a fix and coordinate disclosure timing with you
  5. Credit: We'll acknowledge your contribution (unless you prefer to remain anonymous)

Disclosure Timeline

  • Critical vulnerabilities: Aim to fix within 30 days
  • High severity: Aim to fix within 60 days
  • Medium/Low severity: Addressed in regular development cycle

We'll coordinate public disclosure timing with you after a fix is available.

Security Best Practices

If you're using Marathon (keeping in mind it's not production-ready):

For Development

  • Use isolated networks for testing
  • Don't use real user data or sensitive information
  • Don't expose to the internet without additional security layers
  • Keep dependencies updated with cargo update
  • Review security advisories for Rust crates you depend on

For Deployment (Future)

Once Marathon reaches production readiness, we plan to implement:

  • End-to-end encryption for all peer communications
  • Peer authentication and authorization
  • Encrypted local storage
  • Rate limiting and DoS protection
  • Security audit trail
  • Regular security audits

Known Security Gaps

Current known limitations (to be addressed before 1.0):

  • No peer authentication - Any peer can join a session
  • No authorization system - All peers have full permissions
  • No encrypted storage - Local SQLite database is unencrypted
  • Limited input validation - CRDT operations trust peer input
  • No audit logging - Actions are not logged for security review
  • Network protocol not hardened - Vulnerable to malicious peers

Security Contact

For security-related questions or concerns:

Security Advisories

Security advisories will be published:

  • In GitHub Security Advisories
  • In release notes
  • In this SECURITY.md file

Currently, there are no published security advisories.

Responsible Disclosure

We believe in responsible disclosure and request that you:

  • Give us reasonable time to address issues before public disclosure
  • Make a good faith effort to avoid privacy violations and service disruption
  • Don't exploit vulnerabilities beyond demonstrating the issue
  • Don't access or modify data that doesn't belong to you

In return, we commit to:

  • Respond promptly to your report
  • Keep you informed of our progress
  • Credit you for your discovery (if desired)
  • Not pursue legal action for good faith security research

Additional Resources

Version History

  • 2026-02-06: Initial security policy for v0.1.0 release

Thank you for helping keep Marathon and its users safe!

Reference in New Issue View Git Blame Copy Permalink