Add security warnings doc with warning about side channels.

README.md

@@ -19,8 +19,15 @@ proving scheme which preserves confidentiality of transaction metadata.
 
 Participation in the Zcash project is subject to a [Code of Conduct](code_of_conduct.md).
 
+Security Warnings
+-----------------
+
+See important security warnings in
+[doc/security-warnings.md](doc/security-warnings.md).
+
 License
 -------
 
 Zcash Core is released under the terms of the MIT license. See [COPYING](COPYING) for more
 information or see http://opensource.org/licenses/MIT.
+

doc/security-warnings.md

@@ -0,0 +1,26 @@
+Security Warnings
+====================
+
+Security Audit
+--------------
+
+Zcash has not yet been subjected to a formal third-party security review. This
+section will be updated with links to security audit reports in the future.
+
+Side-Channel Attacks
+--------------------
+
+This implementation of Zcash is not resistant to side-channel attacks. You
+should assume other unprivileged users running on the same hardware as your
+`zcashd` process will be able to:
+
+- Determine which note your are spending by observing cache side-channels as you
+  perform a JoinSplit operation. This is due to probable side-channel leakage in
+  the libsnark proving machinery.
+
+- Determine which notes you own by observing cache side-channel information
+  leakage from the incremental witnesses as they are updated with new notes.
+
+You should ensure no other users have the ability to execute code (even
+unprivileged) on the hardware your `zcashd` process runs on until these
+vulnerabilities are fully analyzed and fixed.