@@ -30,6 +30,9 @@ The caller still owns:
3030- avoiding accidental copies of secrets before wrapping them in ` SecretBuffer `
3131- treating stack-buffer ` into_exposed_array ` calls as boundaries where redacted
3232 formatting and drop-time cleanup intentionally stop for the returned arrays
33+ - understanding that stack-backed buffers can clear their own backing arrays
34+ but cannot clear historical stack-frame copies made by compiler spills,
35+ caller code, panic machinery, crash handlers, or operating system capture
3336- treating ` SecretBuffer::into_exposed_vec ` as a boundary where redacted
3437 formatting and drop-time cleanup intentionally stop
3538- process-wide memory hygiene such as core-dump policy, swap policy, crash
@@ -59,9 +62,12 @@ profiles are strict about the configured line ending and non-final line width.
5962
6063Cleanup APIs are best-effort initialized-byte cleanup. They are implemented
6164without runtime dependencies and without unsafe code in scalar paths. They do
62- not claim formal zeroization against compiler behavior, allocator spare
63- capacity, copies made outside the wrapper, core dumps, swap, or arbitrary
64- process memory disclosure vulnerabilities.
65+ not claim formal zeroization against compiler behavior, historical stack-frame
66+ copies, allocator internals, copies made outside the wrapper, core dumps, swap,
67+ or arbitrary process memory disclosure vulnerabilities. For high-assurance
68+ secret handling, use the clear-tail APIs promptly and pair them with operating
69+ system and deployment controls that reduce crash dumps, swap, and broad memory
70+ disclosure exposure.
6571
6672### Side-Channel Posture
6773
0 commit comments