If you discover a security vulnerability in Sharc, please report it responsibly.

1. Do not open a public GitHub issue.
2. Email [email protected] or use GitHub's private vulnerability reporting.
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Impact assessment
   • Suggested fix (if any)

We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.

Sharc's security surface includes:

• AES-256-GCM encryption (Sharc.Crypto) — database-level encryption at rest
• Argon2id key derivation — password-based key stretching
• ECDSA agent attestation (Trust layer) — cryptographic identity for AI agents
• Hash-chain ledger — tamper-evident audit log

• No native dependencies — pure managed C#, no P/Invoke attack surface
• No unsafe code unless profiling proves >20% gain
• Span-based I/O — no unnecessary buffer copies that could leak data
• Deterministic builds — reproducible from source