From df17645e6f3b151e48a91899ddffcf800b0de69c Mon Sep 17 00:00:00 2001 From: Kevan Date: Mon, 2 Mar 2026 13:27:05 +0100 Subject: [PATCH 1/4] =?UTF-8?q?=F0=9F=94=92=EF=B8=8F=20Created=20SECURITY.?= =?UTF-8?q?md=20for=20vulnerability=20disclosure.?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Added a security policy for vulnerability disclosure guidelines. Requires an e-mail address and setting up the Private Security Disclosure system on GitHub. --- SECURITY.md | 71 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 00000000..5e8a8463 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,71 @@ +# Security Policy + +## ๐Ÿ” Supported Versions + +We currently provide security updates for: + +| Version | Supported | +|---------|----------| +| 0.3.x | โœ… Yes | +| < 0.3 | โŒ No | + +Please make sure you're running the latest stable version. + +--- + +## ๐Ÿ›ก๏ธ Reporting a Vulnerability + +The security of our users and their communications is our highest priority. +If you discover a security vulnerability, **please do not open a public GitHub issue**. + +Instead, report it responsibly using one of the methods below: + +### Preferred Method +๐Ÿ“ง Email: **security@yourdomain.com** (To change)
+๐Ÿ”“ GitHub's Private Vulnerability Disclosure: [here](https://github.com/VectorPrivacy/Vector/security/advisories/new) (To confirm) + +### What to Include +Please provide as much information as possible: + +- Description of the vulnerability +- Steps to reproduce +- Proof-of-concept code (if applicable) +- Impact assessment +- Suggested mitigation (if known) +- Affected version(s) + +If the vulnerability involves cryptography, authentication, message integrity, key exchange, or encryption bypass, please clearly mark it as **CRITICAL** in your report. + +--- + +## ๐Ÿ”‘ Scope + +This policy covers vulnerabilities related to: + +- Encryption and key management +- Authentication & authorization +- Message transport security +- Secure storage of messages + +Out of scope: + +- Issues in third-party services not maintained in this repository +- Social engineering attacks +- Physical device access (unless encryption guarantees are bypassed) + +--- + +## ๐Ÿงช Cryptography + +If reporting a cryptographic issue, please include: + +- Clear technical explanation +- Practical exploit scenario +- Required attacker capabilities +- Real-world impact + +--- + +## ๐Ÿ™ Thank You + +We appreciate responsible disclosure and the work of security researchers helping keep private communication secure. From 87a4330f11a70ef0a31601b0769bef625778f3b1 Mon Sep 17 00:00:00 2001 From: Kevan Date: Mon, 2 Mar 2026 13:32:22 +0100 Subject: [PATCH 2/4] Revised vulnerability scopes Removed 'Secure storage of messages' from security considerations. (As Vector doesn't store the messages) --- SECURITY.md | 1 - 1 file changed, 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index 5e8a8463..b6e5dc2b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -45,7 +45,6 @@ This policy covers vulnerabilities related to: - Encryption and key management - Authentication & authorization - Message transport security -- Secure storage of messages Out of scope: From 8cfbe1f0b046beadea49ce7cd0e9bc7ea1d50484 Mon Sep 17 00:00:00 2001 From: Kevan Date: Mon, 2 Mar 2026 21:28:28 +0100 Subject: [PATCH 3/4] Change security email to security@vectorapp.io Updated the security contact email to the new domain. --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index b6e5dc2b..b6472e1c 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -21,7 +21,7 @@ If you discover a security vulnerability, **please do not open a public GitHub i Instead, report it responsibly using one of the methods below: ### Preferred Method -๐Ÿ“ง Email: **security@yourdomain.com** (To change)
+๐Ÿ“ง Email: **security@vectorapp.io**
๐Ÿ”“ GitHub's Private Vulnerability Disclosure: [here](https://github.com/VectorPrivacy/Vector/security/advisories/new) (To confirm) ### What to Include From bd7297f587404f633b9ff0861c61b31f1077ba77 Mon Sep 17 00:00:00 2001 From: Kevan Date: Tue, 3 Mar 2026 21:26:25 +0100 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=93=9D=20Fill=20demands?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added a compensation section to clarify the project's current stance on financial rewards for disclosures. - Added another e-mail for reporting a vulnerability. --- SECURITY.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index b6472e1c..b2b666a5 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -21,7 +21,7 @@ If you discover a security vulnerability, **please do not open a public GitHub i Instead, report it responsibly using one of the methods below: ### Preferred Method -๐Ÿ“ง Email: **security@vectorapp.io**
+๐Ÿ“ง Emails: **security@vectorapp.io** **mail@jskitty.cat**
๐Ÿ”“ GitHub's Private Vulnerability Disclosure: [here](https://github.com/VectorPrivacy/Vector/security/advisories/new) (To confirm) ### What to Include @@ -65,6 +65,10 @@ If reporting a cryptographic issue, please include: --- +## โš–๏ธ Compensation + +At this time, we are unable to offer financial compensation for disclosures, as Vector is a volunteer-based project. This may change in the future as the project grows. We sincerely appreciate your understanding and support. + ## ๐Ÿ™ Thank You We appreciate responsible disclosure and the work of security researchers helping keep private communication secure.