Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Security Policy

MindSafe is built with a “Security-First” philosophy. We take every report seriously and appreciate the efforts of the security community to help keep our users’ data safe.

Supported Versions

We only provide security updates for the latest stable release. If you discover a vulnerability, please ensure you are testing against the most recent version available on the Releases page.

Reporting a Vulnerability

Caution

Please do not open a public GitHub Issue for security vulnerabilities.

To protect our users, we follow a strict Responsible Disclosure policy. If you find a security flaw, please report it privately using one of the following methods:

  1. Email: Send a detailed report to oss@aryawork.com with subject SECURITY - <Small Title>.
  2. GitHub Private Reporting: If enabled, use the “Report a vulnerability” button under the Security tab of this repository.

What to Include in Your Report

To help us triage and fix the issue quickly, please include:

  • A descriptive title of the vulnerability.
  • The version of MindSafe affected.
  • A Proof of Concept (PoC) or step-by-step instructions to reproduce the issue.
  • The potential impact (e.g., local data leak, bypass of the master password, etc.).

Our Process

  1. Acknowledgment: We will acknowledge receipt of your report within 48–72 hours.
  2. Investigation: We will investigate the issue and may contact you for further details.
  3. Fix: Once confirmed, we will work on a fix. We aim to resolve critical vulnerabilities within 14 days.
  4. Disclosure: After a fix is released, we will publicly disclose the vulnerability and credit you for the discovery (unless you prefer to remain anonymous).

Scope

In-Scope

  • Cryptographic flaws in the XChaCha20-Poly1305 or Argon2id implementation.
  • Memory leaks that expose plaintext notes or master keys after the app is locked.
  • Bypassing the “Safe Copy” (encrypted clipboard) mechanism.
  • Unauthorized local data access flaws.

Out-of-Scope

  • Attacks requiring a compromised Host Operating System (Keyloggers, Screen Recorders).
  • Physical attacks where the attacker knows the user’s master password.
  • Vulnerabilities in third-party crates (though we appreciate being informed so we can update them).
  • Issues related to the “Check for Update” network call that do not result in data exfiltration.

Rewards

As an independent open-source project, we do not currently offer a financial bug bounty program. However, we are happy to provide:

  • Public attribution in our release notes and CONTRIBUTORS.md.
  • A permanent place in our “Security Hall of Fame” within the documentation.