Security is very important to Confy Security. If you discover a security vulnerability, please report it responsibly to us immediately.

DO NOT open a public GitHub issue for security vulnerabilities. Public disclosure can put the entire community at risk. Instead, please follow the responsible disclosure process outlined below.

Send an email to: confy@henriquesebastiao.com

Include the following information in your report:

Subject: [SECURITY] Vulnerability Report

1. Type of vulnerability (e.g., buffer overflow, SQL injection, cryptographic weakness)
2. Description of the vulnerability
3. Location in the code (file path, function name, line numbers if possible)
4. Steps to reproduce the issue
5. Proof of concept or sample code (if applicable)
6. Expected vs. actual behavior
7. Potential impact and severity
8. Your contact information (optional, but recommended)

To help us understand and address the vulnerability faster, please provide:

• Detailed description: What is the vulnerability and how does it manifest?
• Affected versions: Which versions of Confy Addons are affected?
• Reproduction steps: Provide clear, step-by-step instructions to reproduce the issue
• Code sample: Include sample code that demonstrates the vulnerability
• Impact assessment: Explain what an attacker could do with this vulnerability
• Suggested fix: If you have an idea for a patch, please share it
• Your research: Include any relevant research or references

• 24 hours: We acknowledge receipt of your report
• 72 hours: We provide an initial assessment and may request clarification
• 7 days: We confirm the vulnerability status
• 14 days: We provide an estimated patch timeline
• Ongoing: Regular updates on progress

1. Acknowledgment - We confirm receipt of your report within 24 hours
2. Analysis - Our security team analyzes the vulnerability
3. Verification - We verify the vulnerability in our codebase
4. Development - We develop and test a fix
5. Release - We release a patched version
6. Disclosure - We publicly disclose the vulnerability and credit you (if desired)

• We will keep you informed throughout the process
• We will discuss the vulnerability details only with those who need to know
• We will not disclose your identity without permission
• We will ask for your consent before crediting you publicly

After we acknowledge a vulnerability report, we enforce an embargo period:

• Critical vulnerabilities: 30 days maximum before public disclosure
• High severity vulnerabilities: 45 days maximum before public disclosure
• Medium severity vulnerabilities: 60 days maximum before public disclosure
• Low severity vulnerabilities: 90 days maximum before public disclosure

During this period, we request that you do not publicly disclose the vulnerability.

After the embargo period or when a patch is released (whichever comes first), we will:

1. Release a security patch
2. Publish a security advisory
3. Credit the reporter (with permission)
4. Provide mitigation guidance for users who cannot update immediately

We provide security updates for:

We support the following Python versions:

• Python 3.9.2+
• Python 3.10
• Python 3.11
• Python 3.12
• Python 3.13
• Python 3.14

Security updates will be provided for the last 5 minor versions of Python.

Confy Addons provides cryptographic functions for encryption and decryption. Users should be aware:

• ✔️ We use industry-standard libraries - We rely on the cryptography library, which is actively maintained and audited
• ✔️ We implement best practices - We use OAEP padding for RSA and CFB mode for AES
• ⚠️ Key management is your responsibility - You must securely generate, store, and manage cryptographic keys
• ⚠️ Not a complete solution - This library provides encryption primitives, not a complete security solution

We actively monitor our dependencies for security vulnerabilities:

• Dependabot - Automated dependency monitoring
• Regular audits - Manual security reviews
• Rapid patching - Quick updates when vulnerabilities are discovered

1. Keep Python updated - Use the latest supported Python version
2. Keep dependencies updated - Run pip install --upgrade cryptography
3. Generate strong keys - Use proper key sizes (RSA: 4096+ bits, AES: 256 bits)
4. Secure key storage - Store cryptographic keys securely, never in version control
5. Validate input - Always validate and sanitize data before encryption
6. Handle errors properly - Don't expose error details to end users
7. Use HTTPS - When transmitting keys or encrypted data over the network
8. Review code - Audit any cryptographic implementation in your application

# ✅ Good: Generate and store securely
from confy_addons import RSAEncryption

rsa = RSAEncryption()
private_key = rsa.private_key

# Store private_key securely (e.g., hardware security module, encrypted storage)
# Never commit to version control
# Use environment variables or secure config files

# ❌ Bad: Don't do this
private_key_hardcoded = "-----BEGIN RSA PRIVATE KEY-----\n..."  # DON'T!

# ✅ Good: Transmit only public key
from confy_addons import RSAEncryption

rsa = RSAEncryption()
public_key_b64 = rsa.base64_public_key  # Safe to share

# ❌ Bad: Never transmit private key
private_key_b64 = rsa.serialized_public_key  # DON'T transmit this!

• RSA Encryption - 4096-bit asymmetric encryption with OAEP padding
• AES Encryption - 256-bit symmetric encryption in CFB mode
• Key Serialization - Safe base64 encoding of public keys
• Error Handling - Custom exceptions for encryption/decryption errors
• Type Safety - Strong type hints for security-critical functions

• ❌ Key generation from passwords - Use a proper key derivation function
• ❌ Key agreement protocols - Use protocols like ECDH for key exchange
• ❌ Digital signatures - Use RSA-PSS or ECDSA for signing
• ❌ Message authentication - Use HMAC or authenticated encryption modes
• ❌ Secure random number generation - We use the system's secrets module

For these features, consider using the cryptography library directly or other specialized libraries.

• Email the security team privately
• Provide clear reproduction steps
• Give reasonable time to patch
• Don't share exploit code publicly
• Wait for a patch before public disclosure

• Posting vulnerability details on social media
• Opening a public GitHub issue
• Sharing exploit code publicly
• Demanding immediate payment or recognition
• Ignoring the reporting process

We will maintain a log of security updates here.

• cryptography (>=45.0.7, <46.0.0) - Active maintenance, regular security updates

# Check for known vulnerabilities in dependencies
pip install safety
safety check

# Or use Poetry's built-in check
poetry check

# Update all dependencies to latest versions
poetry update

# Update a specific package
poetry update cryptography

# Check for outdated packages
poetry show --outdated

1. Static Analysis - Bandit for security code analysis
2. Type Checking - MyPy to catch type-related security issues
3. Dependency Scanning - Dependabot for vulnerable dependencies
4. Code Review - Manual security review of all changes
5. Fuzzing - Testing with invalid/unexpected inputs (when applicable)

# Run security analysis with Bandit
poetry run bandit -r ./confy_addons

# Check types with MyPy
poetry run mypy -p confy_addons

# Run all quality checks
task pre_test

If a security vulnerability is found in production:

1. Immediate Response (0-2 hours)

   • Assemble the security response team
   • Assess the vulnerability severity
   • Determine immediate mitigation steps

2. Triage (2-24 hours)

   • Verify the vulnerability
   • Identify all affected versions
   • Assess the real-world impact

3. Development (24-72 hours)

   • Develop a fix or workaround
   • Create comprehensive tests
   • Prepare patches for affected versions

4. Release (as soon as ready)

   • Release security patch
   • Notify users immediately
   • Provide upgrade guidance

5. Post-Incident (1-2 weeks)

   • Conduct root cause analysis
   • Improve processes to prevent recurrence
   • Publish security advisory

Security Vulnerability: A flaw in the code that could allow an attacker to compromise security. Example: A cryptographic weakness, unvalidated input.

→ Report via email: confy@henriquesebastiao.com

Feature Request: A request for a new security feature. Example: "Add support for digital signatures."

→ Open a GitHub issue with label security

Security Improvement: A suggestion to improve security. Example: "Add input validation here."

→ Open a GitHub issue with label enhancement

• README.md - Usage guidelines
• CONTRIBUTING.md - Development guidelines
• CODE_OF_CONDUCT.md - Community guidelines

• Source Code - Full source code review available
• Issues - Tracking of reported issues
• Discussions - Security discussions

• Email: confy@henriquesebastiao.com
• GitHub: @confy-security
• Response Time: Within 24 hours for initial acknowledgment

For responsible disclosure of security vulnerabilities, please follow the guidelines in this document.

We are committed to:

• Transparency - Being honest about security issues and fixes
• Accountability - Taking responsibility for addressing vulnerabilities
• Timeliness - Responding promptly to security reports
• Fairness - Treating all reporters with respect and fairness
• Collaboration - Working with the community to improve security

A: Yes, Confy Addons is designed for production use. However, like all security-critical software, it should be:

• Regularly updated
• Integrated with other security measures
• Tested thoroughly in your specific use case
• Deployed with appropriate operational security practices

A: Security updates are released as needed when vulnerabilities are discovered and fixed. We typically aim to release patches within 30 days of discovering a critical vulnerability.

A: Yes! The code is open source and available on GitHub. You're welcome to conduct your own security audit. If you find something, please report it responsibly using the process in this document.

A:

1. Contact us immediately at confy@henriquesebastiao.com
2. Rotate the key immediately
3. Do not attempt to remove it from history alone (it may still be accessible)
4. We can help guide you through the remediation process

A: Email confy@henriquesebastiao.com with details of the vulnerability. Do NOT open a public GitHub issue.

A: When in doubt, please report it to confy@henriquesebastiao.com. We'd rather receive false alarms than miss actual security issues. We promise to treat your report confidentially.

• OWASP Security Guidelines: https://owasp.org/
• Cryptography Best Practices: https://cryptography.io/
• Python Security: https://python.readthedocs.io/en/latest/library/security_warnings.html
• Responsible Disclosure: https://www.eff.org/deeplinks/2019/10/what-responsible-disclosure

We thank all security researchers and community members who help make Confy more secure.

If you've responsibly disclosed a security vulnerability to us and would like to be credited, please let us know, and we'll include you in our security advisory.

Last Updated: October 22, 2025

Next Review: October 22, 2026

Built with ❤️ by the Confy Security Team