PyFAEST is currently in active development. Security updates are provided for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue in PyFAEST, please report it responsibly.
Please do not open a public GitHub issue for security vulnerabilities.
Instead, report security issues via one of these methods:
- Email: Send details to shreyas.sankpal@nyu.edu
- GitHub Security Advisory: Use the private vulnerability reporting feature
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and attack scenarios
- Affected versions of PyFAEST
- Suggested fix (if you have one)
- Your contact information for follow-up questions
- Acknowledgment: Within 48 hours
- Initial assessment: Within 7 days
- Status updates: Every 7-14 days until resolved
- Fix release: Depends on severity and complexity
PyFAEST is a Python binding to the FAEST reference implementation and inherits its security characteristics:
- Reference Implementation: FAEST is not yet optimized for production use
- NIST Evaluation: FAEST is a candidate scheme, not yet standardized
- Side-Channel Attacks: No protection against timing or power analysis attacks
- Memory Safety: Private keys are cleared from memory, but Python's memory management may leave traces
- Cryptographic Vulnerabilities: Report issues with FAEST itself to the FAEST team
In Scope:
- Memory safety issues in Python bindings
- Input validation bypasses
- Incorrect API behavior leading to security issues
- Build system vulnerabilities
- Dependency vulnerabilities
Out of Scope:
- Issues in the underlying FAEST C library (report to upstream)
- Theoretical cryptographic attacks on FAEST
- General Python or OS-level security issues
- Performance-related issues (unless security-critical)
When using PyFAEST:
- Keep Updated: Use the latest version from PyPI
- Secure Storage: Encrypt private keys at rest
- Secure Channels: Transmit keys over secure channels only
- Key Lifecycle: Properly destroy keys when no longer needed
- Randomness: Ensure your system has a good entropy source
- Audit: Review security-critical code paths in your application
- Security issues will be disclosed publicly after a fix is released
- Credit will be given to reporters who responsibly disclose vulnerabilities
- A security advisory will be published on GitHub for significant issues
PyFAEST is developed as part of a Post-Quantum Cryptography course project at NYU. While we take security seriously, this is primarily an educational and research tool. For production use, please:
- Conduct your own security audit
- Consult with cryptography experts
- Follow industry best practices for key management
- Monitor NIST's PQC standardization process
- Security Issues: shreyas.sankpal@nyu.edu
- General Questions: GitHub Discussions
- Bug Reports: GitHub Issues
Thank you for helping keep PyFAEST secure!