We take the security of Yopass seriously. If you believe you have discovered a security vulnerability in Yopass, we encourage you to report it to us responsibly.
Please follow these guidelines when reporting a security issue:
- Email the report to johan{a}haals.se. Please do not create a public GitHub issue.
- Provide a detailed description of the vulnerability, including steps to reproduce the issue, potential impact, and any suggested mitigations or remediations.
- Allow a reasonable time for the Yopass maintainers to respond to your report and address the vulnerability before publicly disclosing it. We will keep you updated on our progress.
We appreciate your efforts in keeping yopass secure for everyone and will acknowledge your contribution in the project's security advisories or changelog once the issue has been resolved.
There are a couple of cases that we do not consider to be security issues:
- Enumeration/Guessing of UUIDs or decryption keys
- URLs being stored in browser history/cache
- Vulnerabilities in build time dependencies not exploitable at runtime