Embedded-SecLink (ESL) is an experimental research-oriented project. It has not been independently audited, formally verified, or reviewed for production security use. Do not rely on this project as the sole protection mechanism for production systems, safety-critical systems, deployed vehicles, or regulated environments without additional expert review.

Please report suspected security issues through GitHub Issues. If a report contains sensitive exploit details, private keys, logs, or deployment-specific information, avoid posting those details publicly. Open a minimal issue first so the maintainers can coordinate a safer disclosure path.

The following areas should receive extra review before real-world deployment:

• Random number generation and entropy quality used by key generation and IV generation.
• key.json private-key storage, file permissions, lifecycle, backup, and rotation.
• ECC ECDH/ECDSA input validation, key handling, signature verification, and session-key derivation.
• BLS proof-of-possession handling, aggregate signature verification, public-key validation, and rogue-key resistance.
• AES-CBC mode usage, IV uniqueness, padding validation, ciphertext integrity, and authenticated-encryption requirements.
• Merkle proof construction and verification for application-level integrity assumptions.
• Third-party dependencies downloaded through CMake FetchContent, including version pinning and upstream security updates.

Security fixes are handled on a best-effort basis for the current active development branch and tagged releases. Because ESL is experimental, no long-term support window is currently guaranteed.