We take security seriously. If you discover a security vulnerability, please report it responsibly.
For critical vulnerabilities:
- DO NOT open a public GitHub issue.
- Contact the maintainer privately via GitHub profile contacts.
- Provide detailed information about the vulnerability.
- Allow reasonable time for a fix before public disclosure.
For non-critical security discussions:
- Open a GitHub Discussion in the Q&A category.
- Use GitHub Issues for general questions.
When reporting a vulnerability, please include:
- Description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Suggested fix (if any).
This security policy applies to:
CreateKeys/forge-keys.shscript logic.OpenManually/vault-open.shscript logic.- Early-boot hooks and configuration templates.
- Physical access attacks where the attacker can extract decrypted master key files while mounted.
- Local root privilege escalation attacks that occur outside the scope of our scripts.
- Issues in third-party libraries (e.g.
ssss,cryptsetup).
Thank you for helping keep this project secure!