montana/Монтана-Протокол/SECURITY.md

# Security Policy

## Reporting a Vulnerability

Montana is a post-quantum blockchain protocol with TimeChain consensus. Security is foundational.

If you discover a security vulnerability, **do NOT open a public issue**. Instead:

- Email: `efir369999@gmail.com`
- Include: clear description, reproduction steps, affected component (e.g. `mt-crypto`, `mt-consensus`, `mt-net`), severity assessment.
- Allow up to **14 days** for initial response.

We follow **responsible disclosure**: vulnerability is fixed before public disclosure. Reporters are credited in release notes (unless they prefer anonymity).

## Scope

In scope:
- Cryptographic primitives in `Код/crates/mt-crypto/` and `Код/crates/mt-crypto-native/`
- Consensus & VDF logic in `Код/crates/mt-consensus/`, `Код/crates/mt-vdf/`
- Network layer in `Код/crates/mt-net/`, `Код/crates/mt-net-transport/`
- Wallet, anchor, transfer logic in respective `mt-*` crates
- Specification ambiguities or contradictions in `Montana v*.md`

Out of scope:
- Issues only reproducible with non-default `protocol_params`
- Performance issues without security impact
- Anything outside `Код/` and the Montana spec files

## Security Architecture

- **Post-quantum primitives**: ML-DSA-65 (FIPS 204), ML-KEM-768 (FIPS 203), SHA-256, HKDF-SHA256, PBKDF2.
- **Single Source of Truth (SSOT)**: every constant lives in exactly one place; no duplication.
- **Audit trail**: see `Код/docs/audit-checklist.md` (53/53 findings closed for M6 + M9).
- **Reproducible builds**: `Код/docs/build-from-source.md` provides verification steps.

## Audit Status

- **Internal**: Pass 1-17 critic reviews complete. Roles in `CLAUDE.md`, `CRITIC.md`.
- **External**: Pending engagement (target firms — NCC Group, Trail of Bits, Cure53, Quarkslab, Cryspen).
Mirror of /Users/kh./Python/Ничто/Монтана 2026-05-04 00:48:53 +03:00			`# Security Policy`

			`## Reporting a Vulnerability`

			`Montana is a post-quantum blockchain protocol with TimeChain consensus. Security is foundational.`

			`If you discover a security vulnerability, do NOT open a public issue. Instead:`

			- Email: `efir369999@gmail.com`
			- Include: clear description, reproduction steps, affected component (e.g. `mt-crypto`, `mt-consensus`, `mt-net`), severity assessment.
			`- Allow up to 14 days for initial response.`

			`We follow responsible disclosure: vulnerability is fixed before public disclosure. Reporters are credited in release notes (unless they prefer anonymity).`

			`## Scope`

			`In scope:`
			- Cryptographic primitives in `Код/crates/mt-crypto/` and `Код/crates/mt-crypto-native/`
			- Consensus & VDF logic in `Код/crates/mt-consensus/`, `Код/crates/mt-vdf/`
			- Network layer in `Код/crates/mt-net/`, `Код/crates/mt-net-transport/`
			- Wallet, anchor, transfer logic in respective `mt-*` crates
			- Specification ambiguities or contradictions in `Montana v*.md`

			`Out of scope:`
			- Issues only reproducible with non-default `protocol_params`
			`- Performance issues without security impact`
			- Anything outside `Код/` and the Montana spec files

			`## Security Architecture`

			`- Post-quantum primitives: ML-DSA-65 (FIPS 204), ML-KEM-768 (FIPS 203), SHA-256, HKDF-SHA256, PBKDF2.`
			`- Single Source of Truth (SSOT): every constant lives in exactly one place; no duplication.`
			- Audit trail: see `Код/docs/audit-checklist.md` (53/53 findings closed for M6 + M9).
			- Reproducible builds: `Код/docs/build-from-source.md` provides verification steps.

			`## Audit Status`

			- Internal: Pass 1-17 critic reviews complete. Roles in `CLAUDE.md`, `CRITIC.md`.
			`- External: Pending engagement (target firms — NCC Group, Trail of Bits, Cure53, Quarkslab, Cryspen).`