Skip to content


This project takes security very seriously. If you ever find a vulnerability, please get in touch ASAP and/or open an issue unless disclosure is harmful (make sure to check the confidential checkbox).

Improving security

With the goal of keeping this project secure, several measures are taken:

  • Good test coverage to prevent bugs.
  • Code fuzzed to uncover unexpected bugs.
  • Static typing to prevent type-related bugs.
  • Tags, releases and packages are always signed.
  • No external dependencies to diminish attack surface and risk.
  • Safe defaults and secure minimums enforced for sensitive values.
  • Analysis of (dev) dependencies for known vulnerabilities using safety and trivy.
  • Static analysis of code for common pitfalls and potential vulnerabilities using bandit.
  • Build reproducibility thanks to poetry: trusted code -> trusted package (although this may not be too important).

Code fuzzing

I wrote a fuzzing helper using pythonfuzz, check the fuzz module. I fuzzed each signer for over 48 hours without finding any issue, and now added a short fuzzing session in the CI for every release to ensure that simple bugs are caught from beforehand.

Continuous fuzzing wanted

Fuzzing truly benefits a project when it is run continuously, but I can't currently pay for a VPS for this, so I'm looking for ideas on this matter.

External security review

Expert wanted

This project hasn't been externally audited yet, so this project needs a security review. If you are an expert and can do it, please contact me. The results of said review will be published here.