Only the latest stable release receives security updates.

QbitStrike is an educational project targeting toy-sized cryptographic keys. It does not implement production-grade cryptographic systems and is not intended for use in security-sensitive environments.

Security concerns within scope include:

• Mishandling of API keys or credentials (e.g. IBM_API_KEY)
• Unintended exposure of sensitive files (.env, .bin, .pem)
• Dependency vulnerabilities in third-party packages

Out of scope:

• Attacks against real-world cryptographic systems
• Issues arising from misuse of the tool outside its educational purpose

If you discover a security vulnerability in this project, please do not open a public GitHub issue.

Instead, report it privately by email:

Contact: mateo@callec.net
Subject line: [QbitStrike] Security Vulnerability Report

Please include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fix (optional)

You can expect an acknowledgement within 72 hours and a resolution or status update within 14 days.

• Never commit your .env file — it is listed in .gitignore by default
• Do not share your IBM_API_KEY publicly
• Treat any generated .bin or .pem files as sensitive if derived from real keys
• Use this tool only in isolated, controlled environments

This project relies on third-party packages listed in requirements.txt. Users are encouraged to regularly update dependencies and audit them with tools such as:

pip audit