Security

Reporting a vulnerability

Please do not open a public issue for undisclosed security vulnerabilities. We treat reports in good faith seriously.

Use the contact channels described in our Privacy Policy (section Contact) or the website operator for this deployment.

Include the affected surface (web app, extension, API, cryptography), a short description, and reproduction steps if possible. For the open-source repository, see also SECURITY.md at the project root.

Scope

Examples of in-scope topics:

• Vault encryption, key derivation, or serialization in client code and shared libraries.
• Account Abstraction identity, Smart Wallet derivation, delegations, or abuse of sync / vault-CID APIs.
• Browser extension isolation, content scripts, or messaging boundaries.
• Server-side handling of ciphertext, signatures, or metadata that could weaken user security.
• Protocols and smart contracts governing asset ownership and recovery.

What to expect

We aim to acknowledge receipt within a few business days. See also our active Vault Challenge (Bug Bounty) with a growing reward.