VESlocker is a security primitive — we take reports seriously and appreciate coordinated disclosure.
Please do not open a public issue for security vulnerabilities.
Report privately through either channel:
- GitHub — use Security → Report a vulnerability (private advisory) on this repository, or
- Email —
security@vesvault.com
Please include:
- a description of the issue and its impact,
- steps to reproduce or a proof of concept,
- affected component (
client/orserver/) and version/commit.
We aim to acknowledge a report within 3 business days, agree on a disclosure timeline, and credit reporters who wish to be named.
| Version | Supported |
|---|---|
| 1.x | ✅ |
| < 1.0 | ❌ |
When assessing or reporting, keep VESlocker's documented model in mind (see the Security model section of the README):
- The key server is a throttled key oracle; it never receives plaintext or ciphertext.
- Offline brute force of the PIN requires compromise of both the server-side secret store and the ciphertext. Hardening the key server's database is in scope and important.
- Decryption depends on key-server availability by design.
Reports that demonstrate a break of these properties — e.g. a way to bypass the per-id throttle, recover a key without the server secret, or have the server learn plaintext — are especially valuable.