Security
We design for privacy, resilience, and verifiability. This page documents how to report vulnerabilities, what to expect from our response, and how to validate the software we publish.
Report a vulnerability
Email security@journalfoundation.org. Encrypt sensitive reports with our PGP key (download) and include the fingerprint below when verifying it.
- Preferred languages: English
- PGP fingerprint:
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 - Service-level objectives: acknowledge within 3 business days, provide triage updates within 7 days, and remediate or share a mitigation plan within 90 days.
Coordinated Vulnerability Disclosure
We follow a 90-day disclosure window (extensions are available for complex fixes or coordinated releases). If we observe active exploitation or you encounter evidence of it, we may accelerate disclosure to protect users. We appreciate early notification and collaboration on timing.
Safe Harbor for good-faith research
If you make a good-faith effort to comply with this policy:
- We will not pursue legal action or referral under anti-hacking laws, anti-circumvention rules, or our Terms for in-scope testing.
- Authorization covers inadvertent Terms of Service violations that stem solely from security testing.
- Limit testing to the scope below and avoid privacy harm. If you encounter personal data, stop, protect it, and report immediately.
Scope & rules of engagement
In scope
journalfoundation.organd subdomains we operate- Open-source repositories under the Journal Foundation GitHub organization
- Signed release artifacts we distribute (containers, packages, archives)
Out of scope
- Third-party platforms or services (cloud providers, SaaS, vendors)
- Social engineering, phishing, or physical attacks
- Denial-of-service or volumetric traffic testing
- Exfiltration or persistence of personal or confidential data
When testing, avoid degrading services, spamming, or destroying data. If unsure whether something is in scope, contact us before testing.
Privacy & cryptography commitments
Our protocols prioritize content confidentiality, metadata minimization (including the use of blind relays such as Oblivious HTTP), and capability-based sharing. Explore the latest drafts in our Specifications library.
Web & application hardening
- HTTP Strict Transport Security (HSTS) with preload
- Content Security Policy (CSP) enforced with per-request nonces
- Referrer-Policy:
no-referrer - X-Content-Type-Options:
nosniff
Release integrity & supply chain
- Signed artifacts: Container images and release archives are signed with Sigstore/cosign. Verify with
cosign verify ghcr.io/journalfoundation/cipherlot:<TAG>. - Provenance attestations: We publish SLSA-compliant provenance to document what was built, by whom, and from which sources.
- Software Bills of Materials: Each release ships an SPDX or CycloneDX SBOM so you can audit dependencies.
Security advisories
Confirmed vulnerabilities receive public remediation guidance. We currently publish advisories through GitHub Security Advisories and assign CVE identifiers when available. Severity is scored using CVSS v4.0, or v3.1 where tooling has not yet caught up.
Hall of Fame
We appreciate researchers who help us improve. Unless you opt out, we’ll list acknowledgments here once we validate a report. (Bounties and swag are not yet available.)
| Researcher | Handle / URL | Issue | Published |
|---|---|---|---|
| Be the first to land here. | |||
Transparency & further reading
- /.well-known/security.txt — machine-readable contact policy
- Contact page security section — additional outreach tips
- GitHub organization — repository-level
SECURITY.mdfiles - Quarterly security notes (coming soon)