Hi,

the readme says:

Very much WIP. Actively developed. Unstable APIs.

but how can this be WIP - as in work in progress and at the same time security products like nitrokey.com apparently use this in production?

is the readme.md wrong?

also I was not able to find any kind of security policy in this github repo or on the web page.

this is kind of concerning, for a software that implements cryptography.

Thanks

Hello @artificial-intelligence, thank you for your concern.

This framework is currently used in the Solokey 2 and the Nitrokey 3, as an abstraction around the hardware platforms, isolate applications, and abstract over the cryptographic backends being used. The framework itself does not implement the cryptography. The implementations comes from either RustCrypto, ycrypto or a secure element (Nitrokey is bringing support for the SE050).

Trussed is WIP, as in it's being changed to fit the needs of the Nitrokey 3 and the Solokey 2 as new features are being developed.
It is therefore unstable as the API change following our need, and backward incompatible changes are often introduced.

A security policy was indeed missing. It has been added, and you can now report vulnerabilities through github.