Security whitepaper (draft)

Draft summary of threat assumptions, control priorities, and disclosure process.

1. Threat model scope

Focus: confidentiality and integrity for locally handled artifacts.
Primary risks: compromised binaries, key leakage, and operator mistakes.
Out of scope: full endpoint compromise and hostile operating systems.

2. Control priorities

Publish through auditable release channels with traceable history.
Recommend checksum and signature verification before installation.
Keep shipped and planned capabilities explicitly separated.

3. Disclosure and response

Report vulnerabilities to [email protected] with reproduction details. Current targets are acknowledgement within 3 business days and triage within 7 business days when reproducible.

Security Policy Current public security model. Verification Guide Checksum and signature workflow. Release Notes Version updates and timing.