If you discover a security vulnerability in OpenAmber, please report it responsibly.

Email: info [@] yousef [.] uk

Subject line: [SECURITY] Brief description

• Description of the vulnerability
• Steps to reproduce
• Potential impact assessment
• Suggested fix (if you have one)

• Acknowledgment: Within 48 hours
• Initial assessment: Within 7 days
• Resolution timeline: Provided after assessment

1. We will acknowledge your report promptly
2. We will investigate and assess the vulnerability
3. We will work with you to understand the issue fully
4. We will develop and test a fix
5. We will release the fix and credit you (unless you prefer anonymity)

OpenAmber uses Ed25519 for digital signatures. Key considerations:

• Use audited cryptographic libraries (libsodium recommended)
• Never implement cryptographic primitives from scratch
• Follow key management best practices

• Alerts contain personal data about children
• Implement data minimization principles
• Enforce automatic expiry of alerts
• Protect photo URLs from unauthorized access

• Validate all incoming alert signatures
• Implement rate limiting
• Log access for security monitoring
• Use TLS for all communications

As a pre-development project, OpenAmber has not yet undergone formal security audit. The protocol specification is subject to change based on security review.

Once funded, we plan to engage Radically Open Security (through NGI Zero support services) for a comprehensive security audit.