Security Policy

We take the security of DecoyPhrase seriously. Because our software handles sensitive cryptographic keys and private data, we appreciate the community's help in disclosing vulnerabilities responsibly.

1. Supported Versions

We only provide security updates for the latest stable release.

2. Reporting a Vulnerability

If you discover a security vulnerability in any part of the DecoyPhrase ecosystem, please report it privately via email.

• Email: [email protected]

• Subject: [VULN] Short description

• Body: Please include:

  • Steps to reproduce.

  • Affected versions.

  • Proof of Concept (PoC) code or screenshots.

Response Timeline

3. Scope

We are interested in:

• Crypto flaws: Weak key generation, improper IV usage, or side-channel leaks in lib/crypto.

• Data leakage: Private keys being persisted insecurely (e.g., in localStorage without encryption, or sent to a server).

• Injection: XSS or other injection attacks in the Web client.

• Bypass: Methods to bypass biometric authentication on the Mobile app.

We are NOT interested in:

• UX bugs or typos.

• DDoS attacks on our documentation site.

• Issues related to third-party Arweave gateways (unless it compromises client security).

4. Safe Harbor

If you conduct security research within the scope of this policy, we consider your activities authorized and will not initiate legal action against you. We ask that you:

• Do not destroy or corrupt data.

• Do not interrupt or degrade our services.

• Give us reasonable time to fix the issue before making it public.