The post-quantum cryptographic algorithms included from the PQClean project are academic and should be considered experimental. We recommend reading their SECURITY.md for more details.

As a quick summary:

It is important to understand that these implementations have not been subjected to rigorous security audits or formal security validations. PQClean does not modify or alter the algorithms provided by their upstream sources.

Users should be aware that while PQClean aims to provide accurate and secure implementations, the project does not make explicit security claims.

Any use in a production environment should be preceded by a detailed expert security review.

Please refrain from reporting security vulnerabilities through public channels such as Github issues or discussions.

If you believe you've found a vulnerability, we'd appreciate if you responsibly disclose it by emailing root@backbone.dev. Try to be as explicit and detail-oriented as possible when describing how to reproduce the issue.

Providing code snippets, error messages, screenshots and other auxiliary information will go a long way in helping us prepare a fix.

We hold ourselves to a strict 30-day public disclosure policy for non-critical vulnerabilities and a 60-day policy for critical vulnerabilities to ensure sufficient uptake of a patch prior to disclosure.

With your permission, we're happy to support you by co-authoring or disseminating blog posts and other technical material to educate and notify PQCrypto users.