Security
Report vulnerabilities privately, and read the known limits plainly.
Memora is still a developer preview, so the safest security page is the one that says exactly what is and is not hardened yet.
Reporting
Do not open public GitHub issues for vulnerabilities. Report them by email to `akuniyil@purdue.edu` with impact, reproduction steps, and the affected component.
Current limits
The current policy calls out several design limitations in the preview: KEK custody in process environment variables, operator-key centralisation, an open HCS topic without a submit key, in-memory gateway rate limiting, and no mTLS between internal services.
- TEE quote content is still verified off-chain.
- The KEK is not backed by an external KMS yet.
- The same Hedera operator key signs both HCS and EVM operations.
- Gateway rate limits are per process, not distributed.