Security Program

The 0x0 Security Program covers advisories, key rotation, dependency trust,

host-effect denial, app threat models, and release evidence.

Advisory Flow

1. Preserve the failing artifact or evidence bundle.

2. Assign severity and affected versions.

3. Rotate affected keys when signing, registry, or release trust is involved.

4. Publish an advisory and mitigation.

5. Add regression evidence before closing the incident.

Key Rotation

Signing and registry keys must have owners, rotation policy, and rollback

records. Physical secure-boot root keys are tracked in

hardware/physical-root-keys.tsv.

Runtime Security

Use:

make runtime-host-security-check
make host-effects-closure-check
make physical-hardware-evidence-check

Security docs for Index and Kukulkan live under docs/security/.