What Datamorpho aims to protect
- controlled disclosure of hidden states
- clear separation between public declaration and private reconstruction
- state-specific reconstruction semantics
- attack-cost increase through structure and layout strategy
Security
Security boundaries, review, and responsible reporting
Datamorpho is a security-oriented protocol project, but it does not claim magical invulnerability. This page explains what the project is trying to protect, what remains out of scope, and how to report issues responsibly.
What it does not claim
- not impossible to break
- not a substitute for sound cryptography
- not a defense against compromised endpoints
- not a guarantee against poor operational security
What matters most in practice
- correct cryptographic implementation
- correct reconstruction-object handling
- careful key-material protection
- clear validation and error handling
Demo tooling logging policy
When the public create and reconstruct tools go live in browser form, Datamorpho.io will clearly disclose that successful demo-tool use may log original file hashes, result file hashes, and reconstruction objects for security and abuse-response reasons. Users who need privacy should run the open-source tooling locally instead of using the public demo.
When to use public issues
Use public GitHub issues or discussions for non-sensitive problems such as wording errors, specification clarity problems, implementation bugs without security sensitivity, documentation fixes, and example inconsistencies.
When to report privately
Report potentially sensitive issues privately by email when public disclosure would create meaningful risk, such as exploitable implementation flaws, unsafe reconstruction handling, or severe cryptographic misuse in live tooling.
Responsible reporting address
For security-sensitive reports, contact g@evvm.org. Include a clear description of the issue, affected component, reproduction steps if possible, and why you believe the issue should be handled privately first.
Demo tooling logging policy
When the public create and reconstruct tools go live in browser form, Datamorpho.io will clearly disclose that successful demo-tool use may log original file hashes, result file hashes, and reconstruction objects for security and abuse-response reasons. Users who need privacy should run the open-source tooling locally instead of using the public demo.
Areas especially worth reviewing
- carrier profile parsing and validation
- digest cross-binding behavior
- reconstruction-object interpretation
- key-material serialization and handling
- sparse and sparse-with-chaff reconstruction semantics
- browser-compatible tooling limitations
Project security posture
Datamorpho should be understood as a layered resistance architecture. It is strongest when the protocol, tooling, examples, operational handling, and cryptographic decisions are all treated seriously instead of relying on any one mechanism alone.
Important note on the current phase
The project is still in its first public specification and tooling phase. Early implementations should be treated carefully and reviewed critically. Correctness, clear semantics, and public review matter more right now than feature breadth.