If you think you have found a security bug in OQS software, please send email to firstname.lastname@example.org. If you want to send an encrypted message, you can use this PGP key to email email@example.com. We do not run a bug bounty program.
We do aim to create reliable, secure software implementing post-quantum cryptography. However, we are primarily a research project focused on prototyping and evaluating post-quantum cryptography, not on creating products, so our response to security issues will be on a best-effort basis, and we do not make guarantees on timelines. Note that many algorithm implementations included in OQS are obtained from other projects; resolving issues may require coordination with other parties and this may affect resolution time.
Note that a cryptanalytic flaw in an algorithm may result in an algorithm being temporarily removed until its creators issue a fix, or permanently removed if broken.
The goal of these integration is to provide easy prototyping of quantum-resistant cryptography and should not be considered “production quality”. Please see more about limitations of our prototype software.
When we are planning an update that fixes a high severity security issue, we will post an update on our website openquantumsafe.org indicating a planned release date and will notify those who have requested to be added to our notification list (email firstname.lastname@example.org to be added to this list).