Skip to content

πŸ”’οΈ Add security guidelines for vulnerability disclosure. #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
JSKitty merged 5 commits into from
Mar 3, 2026
+74 βˆ’0
Merged

πŸ”’οΈ Add security guidelines for vulnerability disclosure. #51

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
df17645
πŸ”’οΈ Created SECURITY.md for vulnerability disclosure.
selkij Mar 2, 2026
87a4330
Revised vulnerability scopes
selkij Mar 2, 2026
8cfbe1f
Change security email to security@vectorapp.io
selkij Mar 2, 2026
3de8152
Merge branch 'VectorPrivacy:master' into patch-1
selkij Mar 3, 2026
bd7297f
πŸ“ Fill demands
selkij Mar 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 74 additions & 0 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
# Security Policy

## πŸ” Supported Versions

We currently provide security updates for:

| Version | Supported |
|---------|----------|
| 0.3.x | βœ… Yes |
| < 0.3 | ❌ No |

Please make sure you're running the latest stable version.

---

## πŸ›‘οΈ Reporting a Vulnerability

The security of our users and their communications is our highest priority.
If you discover a security vulnerability, **please do not open a public GitHub issue**.

Instead, report it responsibly using one of the methods below:

### Preferred Method
πŸ“§ Emails: **security@vectorapp.io** **mail@jskitty.cat**<br>
πŸ”“ GitHub's Private Vulnerability Disclosure: [here](https://github.com/VectorPrivacy/Vector/security/advisories/new) (To confirm)

### What to Include
Please provide as much information as possible:

- Description of the vulnerability
- Steps to reproduce
- Proof-of-concept code (if applicable)
- Impact assessment
- Suggested mitigation (if known)
- Affected version(s)

If the vulnerability involves cryptography, authentication, message integrity, key exchange, or encryption bypass, please clearly mark it as **CRITICAL** in your report.

---

## πŸ”‘ Scope

This policy covers vulnerabilities related to:

- Encryption and key management
- Authentication & authorization
- Message transport security

Out of scope:

- Issues in third-party services not maintained in this repository
- Social engineering attacks
- Physical device access (unless encryption guarantees are bypassed)

---

## πŸ§ͺ Cryptography

If reporting a cryptographic issue, please include:

- Clear technical explanation
- Practical exploit scenario
- Required attacker capabilities
- Real-world impact

---

## βš–οΈ Compensation

At this time, we are unable to offer financial compensation for disclosures, as Vector is a volunteer-based project. This may change in the future as the project grows. We sincerely appreciate your understanding and support.

## πŸ™ Thank You

We appreciate responsible disclosure and the work of security researchers helping keep private communication secure.