Skip to content

Security: ITSDevelopmentCore/hypervault-crypto

SECURITY.md

Security Policy

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.

Instead, use one of these private channels:

  1. GitHub private vulnerability reporting (preferred): Report a vulnerability
  2. Email: kenikla@pm.me — please include [hypervault-crypto security] in the subject line.

Include as much of the following as you can:

  • Affected file(s) / class(es) and version or commit hash
  • A description of the issue and its impact (what an attacker gains)
  • Reproduction steps or a proof-of-concept test
  • Any suggested fix

What to expect

  • Acknowledgement within 72 hours.
  • We will investigate, keep you informed of progress, and credit you in the advisory unless you prefer to remain anonymous.
  • Please give us a reasonable window to ship a fix before public disclosure; we aim for 90 days or less.

Scope

In scope:

  • Cryptographic design or implementation flaws (nonce reuse, weak KDF parameters, oracle behavior, timing side channels in comparisons, etc.)
  • Format-level attacks on HV1 / HVS1 containers (malleability, downgrade/confusion between versions, truncation)
  • Key material lifetime violations (secrets copied into non-zeroable memory, secrets in Strings)
  • Incorrect wallet derivation or signing (BIP-32/39, SLIP-10, EIP-155/1559) that could lead to loss of funds

Out of scope:

  • Vulnerabilities in the closed-source Hypervault Android app (report them by email instead)
  • Vulnerabilities in Bouncy Castle itself (report upstream, but we appreciate a heads-up so we can pin a fixed version)
  • Denial of service via absurd inputs (e.g., multi-GB payloads)

Supported versions

Only the latest release line receives security fixes.

There aren't any published security advisories