Security
Security Policy
Last updated: February 15, 2026
Security is the foundation of ShorShield. This document outlines our security architecture, responsible
disclosure guidelines, and incident response procedures.
1. Security Architecture Overview
ShorShield operates on a defense-in-depth model with multiple independent security layers:
๐ Cryptographic Layer
ML-KEM-1024 + AES-256-GCM for encryption, ML-DSA-65 for authentication. All NIST-standardized
post-quantum algorithms.
๐๏ธ Zero-Knowledge
Client-side encryption/decryption. Server stores only ciphertext and public keys. Private keys never
leave the user's device.
๐ Transport Security
TLS encryption (HTTPS enforced), HTTP-only cookies, SameSite=Strict, session fingerprinting, HSTS.
๐ก๏ธ Application Security
Input sanitization, CSP headers, rate limiting, nonce-based replay protection, comprehensive audit
logging.
2. Responsible Disclosure
๐ก๏ธ We welcome security researchers. If you discover a vulnerability in ShorShield, we
ask that you report it responsibly so we can address it before it's publicly disclosed.
How to Report
- Email your findings to shorshield@gmail.com
- Include a detailed description of the vulnerability
- Provide steps to reproduce the issue
- If possible, suggest a fix or mitigation
- Do not publicly disclose the vulnerability until we've had time to respond
What We Commit To
- Acknowledgment within 48 hours of receiving your report
- Assessment and initial response within 5 business days
- Transparent communication throughout the resolution process
- Credit in our security acknowledgments (if desired)
- No legal action against good-faith security research
Scope
The following are in scope for responsible disclosure:
- Authentication bypass or privilege escalation
- Cross-site scripting (XSS) or injection vulnerabilities
- Cryptographic weaknesses in our PQC implementation
- Data exposure or unauthorized access
- Session hijacking or fixation
- Rate limiting bypasses
๐ซ Out of scope: Denial of service attacks, social engineering of staff, physical
intrusions, attacks on third-party services, and automated scanning without prior coordination.
3. Incident Response
In the event of a confirmed security incident, we follow this protocol:
- Containment โ Isolate affected systems, revoke compromised credentials
- Assessment โ Determine scope, identify affected data, analyze attack vector
- Notification โ Inform affected users within 72 hours per GDPR requirements
- Remediation โ Deploy fix, rotate affected keys, update security controls
- Post-Mortem โ Conduct root cause analysis, document lessons learned, update defenses
4. Security Headers
All ShorShield pages are served with the following security headers:
- X-Content-Type-Options: nosniff
- X-Frame-Options: DENY
- X-XSS-Protection: 0 (disabled in favor of Content Security Policy, as recommended by
modern browsers โ the legacy
1; mode=block value can introduce vulnerabilities)
- Content-Security-Policy: Enforced with strict source directives to prevent XSS
- Referrer-Policy: strict-origin-when-cross-origin
- Permissions-Policy: camera=(), microphone=(), geolocation=()
5. Compliance
- GDPR compliant โ Data stored in the EU, user rights honored
- No tracking โ No analytics, no advertising, no third-party cookies
- Audit logging โ All security-relevant events are logged immutably
- SOC 2 / ISO 27001 โ Certification planned (see Roadmap)
6. Contact
Security concerns: shorshield@gmail.com
PGP key available upon request for encrypted communication.