If you discover a security vulnerability in this implementation or in the STSP protocol itself, please report it responsibly:
Email: g.aldana@aldanainnovations.com
Subject: [SECURITY] STSP Vulnerability Report
Response time: 48 hours for acknowledgement
Do NOT open a public GitHub issue for security vulnerabilities.
- STSP message authentication bypass
- Emergency override unauthorized access
- Denial of service on node or engine
- Protocol replay attacks
- Physical security of reference node hardware
- Third-party dependencies (report to their maintainers)
- Issues requiring physical access without context
Per the STSP specification (draft-aldana-stsp, Section 11):
- All messages MUST be authenticated with HMAC-SHA256
- Emergency override requires explicit authorization
- Rate limiting: max 100 messages/second per source
- Nodes MUST enter Degraded Mode on connectivity loss
- Hardware MUST be IP67 minimum in production
We follow responsible disclosure. We will:
- Acknowledge your report within 48 hours
- Investigate and confirm the vulnerability
- Develop and test a fix
- Credit you in the release notes (unless you prefer anonymity)
Thank you for helping keep urban infrastructure safe.