Skip to main content

Security · Responsible Disclosure

Found a vulnerability?
Tell us first.

VaultPass is a zero-knowledge system protecting real crypto assets. Security issues are taken seriously. We investigate every credible report, fix confirmed vulnerabilities promptly, and credit researchers publicly.

Rewards

Critical
$100
Vault or key disclosure, auth bypass, unauthorized shard release
High
$50
Privilege escalation, IDOR, succession-logic flaws
Medium
$25
Sensitive info leak, meaningful rate-limit bypass
Low
Hall of Fame
Best-practice and hardening findings

Rewards are paid on validation of the first reproducible report of a unique, in-scope issue; payout method is arranged with each researcher. We acknowledge every report within 3 business days, confirm severity, and prioritise fixes for Critical and High findings. VaultPass is early-stage — amounts are modest but real, and every valid reporter is also credited in our Hall of Fame.

How to report

  1. Email [email protected] with subject line: [SECURITY]
  2. Include a clear description of the vulnerability and steps to reproduce.
  3. Attach proof-of-concept code or screenshots where applicable.
  4. We will acknowledge your report within 24–72 hours depending on severity (see the response targets below) and provide a timeline for resolution.
  5. Please do not disclose publicly until we have confirmed and patched the issue.

In scope

  • Authentication bypass or session hijacking
  • Client-side encryption logic vulnerabilities (lib/crypto.ts, lib/shard-crypto.ts)
  • Shamir shard reconstruction flaws (lib/shamir.ts)
  • Dead Man's Switch premature or suppressed triggering
  • API endpoints: unauthorized data access or RLS bypass
  • Cross-site scripting (XSS) with demonstrated impact
  • Cryptographic implementation weaknesses
  • Heir access control bypass

Out of scope

  • Issues already known to us or already reported
  • Denial of service (DoS/DDoS)
  • Rate limiting on non-sensitive endpoints
  • Missing security headers on static assets
  • Clickjacking on pages with no sensitive actions
  • Vulnerabilities in third-party dependencies without demonstrated impact
  • Social engineering or phishing attacks
  • Physical access attacks
  • Automated scanner output without proof of concept

Rules of engagement

  • Test only against your own accounts. Do not access or modify other users' data.
  • Do not perform automated scanning at a rate that degrades service for other users.
  • Do not use the vulnerability to access, exfiltrate, or destroy user data.
  • Act in good faith. We will do the same.

Severity & response targets

Final severity is assigned by the VaultPass team using impact and exploitability. These are the timelines we aim for from a valid report:

SeverityExamplesAckTriageFix target
CriticalVault seed / Shamir shard exposure, auth bypass, RCE, mass data access24h72h7 days
HighPrivilege escalation, RLS bypass, heir-access bypass, premature Dead Man's Switch48h5 days14 days
MediumStored XSS, sensitive info disclosure, auth-protected CSRF72h7 days30 days
LowMinor misconfigurations, low-impact issues with limited reach72h14 daysBest effort

Safe harbor

We consider security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorized. We will not pursue or support legal action against you — including under the Computer Fraud and Abuse Act, the DMCA (§1201), or equivalent laws — provided you:

  • act in good faith and stay within the scope and rules of engagement above;
  • avoid privacy violations, data destruction, and any degradation of service to other users;
  • access only your own test accounts and never exfiltrate or retain other users' data;
  • give us a reasonable period to remediate before any public disclosure.

If legal action is initiated by a third party against you for activity conducted in accordance with this policy, we will make this authorization known. This policy is not a waiver of any rights nor permission to act unlawfully; if in doubt about whether an action is in scope, ask us first at [email protected].

Report a Vulnerability →← Security Overview