Security

Responsible Disclosure

If you find a security vulnerability in any Brivora package, please report it responsibly.

We will acknowledge receipt within 24 hours and provide a detailed response within 72 hours. We will not take legal action against security researchers acting in good faith.

PGP Key

PGP Public Key: pending — key generation in progress

Cryptographic Implementation

@brivora/crypto implements NIST post-quantum cryptographic standards:

ML-KEM-768 (FIPS 203) — Key encapsulation mechanism
ML-DSA-65 (FIPS 204) — Digital signature algorithm
SLH-DSA-SHAKE-128f (FIPS 205) — Stateless hash-based signatures
Ed25519 + X25519 — Classical cryptography (hybrid mode)

All PQC operations use @noble/post-quantum. Classical operations use @noble/curves and @noble/hashes. Zero custom cryptographic primitives.

Audit Status

No independent security audit has been completed yet. First audit to be commissioned with grant funding, targeting Cure53, Trail of Bits, or NCC Group. Full audit report will be published on-chain.

Bug Bounty

Formal bug bounty program coming. Until then, email security@brivora.dev. We will credit all valid reports.

Tor Access

Access Brivora from anywhere, without surveillance or censorship.

Tor mirrors: pending — .onion addresses will be published here when enabled

Download Tor Browser: torproject.org

Security is one dimension of the Trust Stack — 10 layers of verifiable trust. Read the full Trust Stack ->