Security Policy
Supported Versionsβ
| Version | Supported |
|---|---|
| 2.0.x | β |
| < 2.0 | β |
Reporting a Vulnerabilityβ
If you discover a security vulnerability in Phantom, please report it privately β do not open a public issue.
- Email: security@voidnix.dev
- Or open a private GitHub advisory on this repository
Include:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Severity estimate (Critical / High / Medium / Low)
Response time target: 48 hours for initial acknowledgement.
Security Measuresβ
- Dependency scanning:
pip-auditandsafetyrun on every CI push - Secret scanning:
trufflehogscans every commit for leaked credentials - Input validation: All API endpoints use Pydantic models with strict typing
- No secrets in repo:
.envfiles and credentials are gitignored; SOPS is recommended for secret management - Pre-commit hooks:
ruff, trailing-whitespace, large-file guard, merge-conflict detection - TLS in transit: Phantom API is intended to run behind a TLS-terminating proxy in production
Out of Scopeβ
- Vulnerabilities in third-party dependencies are reported upstream
- Issues in archived/experimental code (
.archive/) are not tracked
Licenseβ
Apache License 2.0 β see LICENSE.