See docs/SECURITY.md for the detailed version.

In short:

• Rust for memory safety
• TLS 1.3 only (Phase B Stratum TLS)
• Cookie auth preferred over Basic auth
• The pool NEVER touches private keys — the block reward flows directly via the coinbase to the user's wallet
• Rate limiting + connection cap per admin profile
• Argon2id hash for the admin password, JWT with a short lifetime
• Signed releases via cosign (Phase B)
• SBOM via Syft on the release build

From 1.0 onwards: the latest minor version is supported. Security fixes land on main and ride along with the next release; please update to the latest tagged release before reporting a security issue.

Please do NOT open public issues for security problems.

Email: dvbprojekt@gmx.de with subject [security] dvb-WarpPool: ...

Expected response times:

• First reply: 72h
• Triage + severity: 7 days
• Fix plan: 14 days
• Disclosure window: 90 days after patch

PGP key to follow with Phase B.

• DoS via public Stratum endpoints (rate limiting is a mitigation, not full prevention)
• Bugs in transitive dependencies — please report upstream
• Issues that bypass auth via local filesystem access (the pool is not designed for multi-tenant hosting — the daemon user has full power)