Security · Responsible Disclosure
Found a vulnerability?
Tell us first.
VaultPass is a zero-knowledge system protecting real crypto assets. Security issues are taken seriously. We investigate every credible report, fix confirmed vulnerabilities promptly, and credit researchers publicly.
Rewards
Rewards are paid on validation of the first reproducible report of a unique, in-scope issue; payout method is arranged with each researcher. We acknowledge every report within 3 business days, confirm severity, and prioritise fixes for Critical and High findings. VaultPass is early-stage — amounts are modest but real, and every valid reporter is also credited in our Hall of Fame.
How to report
- Email [email protected] with subject line:
[SECURITY] - Include a clear description of the vulnerability and steps to reproduce.
- Attach proof-of-concept code or screenshots where applicable.
- We will acknowledge your report within 24–72 hours depending on severity (see the response targets below) and provide a timeline for resolution.
- Please do not disclose publicly until we have confirmed and patched the issue.
In scope
- Authentication bypass or session hijacking
- Client-side encryption logic vulnerabilities (lib/crypto.ts, lib/shard-crypto.ts)
- Shamir shard reconstruction flaws (lib/shamir.ts)
- Dead Man's Switch premature or suppressed triggering
- API endpoints: unauthorized data access or RLS bypass
- Cross-site scripting (XSS) with demonstrated impact
- Cryptographic implementation weaknesses
- Heir access control bypass
Out of scope
- Issues already known to us or already reported
- Denial of service (DoS/DDoS)
- Rate limiting on non-sensitive endpoints
- Missing security headers on static assets
- Clickjacking on pages with no sensitive actions
- Vulnerabilities in third-party dependencies without demonstrated impact
- Social engineering or phishing attacks
- Physical access attacks
- Automated scanner output without proof of concept
Rules of engagement
- Test only against your own accounts. Do not access or modify other users' data.
- Do not perform automated scanning at a rate that degrades service for other users.
- Do not use the vulnerability to access, exfiltrate, or destroy user data.
- Act in good faith. We will do the same.
Severity & response targets
Final severity is assigned by the VaultPass team using impact and exploitability. These are the timelines we aim for from a valid report:
| Severity | Examples | Ack | Triage | Fix target |
|---|---|---|---|---|
| Critical | Vault seed / Shamir shard exposure, auth bypass, RCE, mass data access | 24h | 72h | 7 days |
| High | Privilege escalation, RLS bypass, heir-access bypass, premature Dead Man's Switch | 48h | 5 days | 14 days |
| Medium | Stored XSS, sensitive info disclosure, auth-protected CSRF | 72h | 7 days | 30 days |
| Low | Minor misconfigurations, low-impact issues with limited reach | 72h | 14 days | Best effort |
Safe harbor
We consider security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorized. We will not pursue or support legal action against you — including under the Computer Fraud and Abuse Act, the DMCA (§1201), or equivalent laws — provided you:
- act in good faith and stay within the scope and rules of engagement above;
- avoid privacy violations, data destruction, and any degradation of service to other users;
- access only your own test accounts and never exfiltrate or retain other users' data;
- give us a reasonable period to remediate before any public disclosure.
If legal action is initiated by a third party against you for activity conducted in accordance with this policy, we will make this authorization known. This policy is not a waiver of any rights nor permission to act unlawfully; if in doubt about whether an action is in scope, ask us first at [email protected].