Security & disclosure

Reporting a vulnerability

Email security@oxp.sh with reproduction steps and the affected version. We acknowledge within 2 business days, ship a fix or mitigation within 30 days for high-severity issues, and credit reporters in the release notes unless you ask us not to. Please do not file a public GitHub issue for security reports.

Out of scope: rate-limit findings without impact, missing security headers on marketing pages, attacks requiring physical access.

WASM sandbox

Untrusted extension code runs as a WASI Preview 2 component with no preopens, no env, and no network. Every host capability is mediated by a typed broker — a bundle cannot fabricate a syscall it did not declare in its WIT imports. Permissions are granted at install time via an explicit prompt, persisted per (publisher, slug), and re-prompted when an upgrade adds a new capability.

Signed bundles & TOFU pinning

Every .oxp bundle is signed with Ed25519 at pack time. Hosts re-verify the signature locally before install — the registry is treated as untrusted transport. The first key seen for a publisher is pinned (TOFU); upgrades signed with a different key are rejected until the publisher rotates through the signed key-rotation flow.

Secrets at rest & in transit

SSO credentials, storage keys, and KMS material are envelope-encrypted with AES-256-GCM under a server-held master key before being persisted. Edge proxies enforce TLS 1.2 minimum with HSTS preload on oxp.sh. Per-extension storage is namespaced with the prefix oxp:storage:<extensionId>: so two components cannot read each other's keys.

Publish tokens & 2FA

Publish tokens are scoped (publish:@handle/* or per-package), default to a 90-day TTL, and can be rotated with a 5-minute hand-over grace. Accounts with TOTP 2FA enrolled must present a recent (≤ 10 min) factor before any publish; recovery codes are bcrypt-hashed and single-use. Manage tokens at /dashboard/tokens and 2FA at /dashboard/security.