Scope: This document describes the security posture, accepted-debt registry, and reporting process for syncthing-rust. For unrelated bug reports, use GitHub issues. For sensitive vulnerabilities, see §Reporting below.

syncthing-rust is a peer-to-peer file synchronization daemon. The following are considered in-scope for security review:

1. BEP protocol parsing — malformed/oversized messages, TLV confusion, integer overflow in length fields.
2. TLS configuration — certificate validation, cipher selection, downgrade attacks. (Currently rustls 0.23 + ed25519-dalek for device identity.)
3. Path traversal in scanner, puller, watcher — must reject .., absolute paths, symlink escapes.
4. Resource exhaustion — MAX_BEP_MESSAGE_SIZE, connection counts, scanner memory budget. See docs/plans/TUNING_PLAN_2026-05-11.md T-D4 for parameter tightening plan.
5. REST API auth — loopback bypass behavior, API key handling, CSRF on writes.

Out of scope:

• Quantum-resistant cryptography (TLS 1.3 + ed25519 is current state-of-the-art for the target scenario).
• Side-channel attacks on the host hardware.
• Compromised local OS (rust binary runs with user privileges and inherits trust boundary).

No protocol-layer SHA-256 substitution is permitted (BEP wire-format compatibility). Local-only block-cache addressing may switch to BLAKE3 in the future — see TUNING_PLAN T-B4 for the evaluation gate.

The following cargo audit warnings are accepted as known debt and tracked here for transparency. They are not actionable from this project without breaking-change upstream upgrades.

The registry is enforced by .cargo/audit.toml (ignore list). CI runs cargo audit --no-fetch and must emit 0 warnings (ignored entries are not warnings).

Re-evaluation triggers (any one promotes a warning back to actionable):

• A CVE is assigned to the unmaintained crate.
• A semver-compatible replacement appears upstream (e.g., sled 1.0 stable).
• The project's threat model expands (e.g., multi-tenant deployment).

These parameters affect attack surface; review when changing:

Do NOT open public GitHub issues for security-sensitive matters.

• Preferred: email the maintainer at the address listed in Cargo.toml / git log --format='%ae' | head -1.
• Response window: best-effort within 7 days. Single-maintainer project — patience appreciated.
• Disclosure: coordinated disclosure preferred. Suggest a 30-day embargo unless actively exploited.

Include in your report:

1. Affected version / commit SHA.
2. Reproduction (minimal Rust harness or Wireshark capture for protocol bugs).
3. Suggested fix or workaround if known.

If you run syncthing-rust in untrusted environments:

• Bind REST API to loopback only (gui.address = "127.0.0.1:8385") unless reverse-proxied with TLS.
• Rotate API key periodically; treat config.json as a secret.
• Restrict folder paths to dedicated directories — no system roots.
• Monitor RSS growth; current FileSystemDatabase has unbounded in-memory cache (TUNING_PLAN T-C3 fixes this).
• Enable log rotation manually until TUNING_PLAN T-F3 ships (daemon.log is currently unbounded).
• Review MAX_BEP_MESSAGE_SIZE for your peer-trust profile; 128 MiB default is generous.

• docs/design/ARCHITECTURE_DECISIONS.md — ADR-002 sled retention rationale.
• docs/plans/POST_V0_2_0_ROADMAP.md — Phase A security-debt acceptance.
• docs/plans/TUNING_PLAN_2026-05-11.md — T-D / T-F tightening plan.
• .cargo/audit.toml — enforced ignore list.