| Version | Supported |
|---|---|
| 1.0.x | ✅ Yes |
| < 1.0 | ❌ No |
Please DO NOT file a public issue for security vulnerabilities.
Instead, send an email to contact.fardinsabid@gmail.com with:
- Description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact (what could an attacker do?)
- Suggested fix (if you have one)
- Confirmation within 48 hours that we received your report
- Investigation and validation of the issue
- Fix development (if confirmed)
- Coordinated disclosure after fix is released
- We will release a patch as soon as possible
- We will credit the reporter (unless you wish to remain anonymous)
- We will publish a security advisory on GitHub
Aleam provides 64 bits of true entropy per call from the operating system's CSPRNG, combined with BLAKE2s cryptographic hashing. This provides:
- Unpredictability: Output cannot be predicted from previous values
- Non-reproducibility: No seeding, each run is unique
- State-free: No internal state to extract
| Issue | Mitigation |
|---|---|
| CPU speed | Use GPU acceleration (CuPy) |
| Platform dependence | Falls back gracefully |
| No reproducibility | Use Python's random if needed |
- Do not use Aleam for security-critical systems without additional entropy sources
- Do not rely on reproducibility - Aleam is stateless by design
- Use GPU acceleration for production workloads
- Keep dependencies updated - regularly run
pip install --upgrade aleam
| Component | Purpose | Security Status |
|---|---|---|
| BLAKE2s | Cryptographic hash | ✅ Secure |
| getrandom() | Entropy (Linux) | ✅ Secure |
| BCryptGenRandom() | Entropy (Windows) | ✅ Secure |
| arc4random_buf() | Entropy (macOS) | ✅ Secure |
| Date | Event |
|---|---|
| 2026-03-30 | Initial release (v1.0.0) |
| 2026-04-06 | C++ migration (v1.0.3) |
| Future | Security updates as needed |
Last Updated: April 2026