Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, use one of these private channels:
- GitHub private vulnerability reporting (preferred): Report a vulnerability
- Email: kenikla@pm.me — please include
[hypervault-crypto security]in the subject line.
Include as much of the following as you can:
- Affected file(s) / class(es) and version or commit hash
- A description of the issue and its impact (what an attacker gains)
- Reproduction steps or a proof-of-concept test
- Any suggested fix
- Acknowledgement within 72 hours.
- We will investigate, keep you informed of progress, and credit you in the advisory unless you prefer to remain anonymous.
- Please give us a reasonable window to ship a fix before public disclosure; we aim for 90 days or less.
In scope:
- Cryptographic design or implementation flaws (nonce reuse, weak KDF parameters, oracle behavior, timing side channels in comparisons, etc.)
- Format-level attacks on HV1 / HVS1 containers (malleability, downgrade/confusion between versions, truncation)
- Key material lifetime violations (secrets copied into non-zeroable memory,
secrets in
Strings) - Incorrect wallet derivation or signing (BIP-32/39, SLIP-10, EIP-155/1559) that could lead to loss of funds
Out of scope:
- Vulnerabilities in the closed-source Hypervault Android app (report them by email instead)
- Vulnerabilities in Bouncy Castle itself (report upstream, but we appreciate a heads-up so we can pin a fixed version)
- Denial of service via absurd inputs (e.g., multi-GB payloads)
Only the latest release line receives security fixes.