Vaulted

Bug Bounty & Responsible Disclosure

We welcome scrutiny. Find a real security issue, get public credit and a permanent Hall of Fame listing.

Policy last updated 2026-04-27 · Maxim Novak

The honest pitch

Vaulted is an independently-built free tool. We don't pay cash bounties yet — pretending otherwise would be misleading. Instead, valid reports get fast acknowledgment, public credit on this page, a CVE assignment when applicable, and our genuine thanks. If you're hunting for paid bounties, this isn't your venue. If you care about end-to-end-encrypted tools doing what they claim, please dig in.

What you get for a valid report

  • Acknowledgment within 48 hours. Real human, real reply.
  • Permanent Hall of Fame listing on this page with your name (or handle), the date, and a short description of the issue once fixed and disclosed.
  • CVE coordination if the finding warrants one — we'll work with you on reservation and publication timing.
  • Coordinated disclosure on a timeline that works for you. We'll fix first, then publish details with attribution.
  • A genuine thank-you note from a real person. If cash bounties become available later, retroactive payments to prior researchers will be considered fairly.

In scope

Cryptographic implementation

Any flaw in client-side AES-256-GCM, key generation, IV reuse, URL-fragment handling, or passphrase wrapping. The crypto is the product — bugs here are the highest-priority reports.

Authentication / authorization bypass

Reading or modifying secrets without the correct ID and key. Bypassing view limits, expiry, or passphrase prompts.

Data exposure

Server-side leakage of plaintext, keys, IVs in unexpected places, ciphertext, view counts, IP addresses, or any other data that should not be observable.

Server-side vulnerabilities

API route handler bugs, rate-limit bypass, injection, deserialization issues, SSRF, server-side request smuggling.

Infrastructure misconfiguration

Anything in the production deployment of vaulted.fyi that exposes data or undermines the security model.

Supply-chain integrity

Compromised or tampered build artifacts, missing SRI where it matters, dependency-confusion attacks against our published npm packages.

Out of scope

Volumetric or denial-of-service attacks

Don't try to take the site down. Rate-limit bypass bugs are in scope; flooding is not.

Spam / abuse of create-secret

Generating large numbers of secrets is not a vulnerability.

Social engineering

Of staff, contributors, or users. Phishing the security inbox does not count.

Vulnerabilities in third-party services

Issues in Vercel, Upstash, Cloudflare, etc. should be reported upstream. We're happy to coordinate if the issue affects Vaulted specifically.

Issues requiring a compromised endpoint

A compromised browser, malicious extension, or keylogger on the user's device is acknowledged in our threat model — see threat model. These are not vulnerabilities in Vaulted.

Best-practice findings without impact

"Header X is missing" or "cookie attribute Y" without a demonstrated security impact. Tell us anyway — we may fix it — but it won't qualify for Hall of Fame.

Rules of engagement

  • Test only with secrets you create yourself. Don't access or attempt to access other users' data.
  • Stop and report at the first sign of a vulnerability. Don't pivot, exfiltrate, persist, or escalate.
  • Don't publish details until we've had a reasonable opportunity to fix — typically 90 days, but we aim faster.
  • Automated scanning is fine within reasonable rate limits. If your tool generates significant traffic, throttle it.
  • Test against production at your own risk. We won't pursue action against good-faith research that follows these rules.

Process & timelines

  1. You report via [email protected]. Encrypted email is welcome.
  2. We acknowledge within 48 hours and assign a tracking reference.
  3. Triage within 5 days — we confirm whether the finding is in scope and reproducible.
  4. Fix & deploy on a timeline proportional to severity (hours for critical, days for high, weeks for lower).
  5. Coordinated disclosure with attribution to you, plus Hall of Fame entry.

Hall of Fame

  • Esrak Fardin Ratul (zer0rat)

    View-limit race condition (TOCTOU): a maxViews=1 secret could be read more than once under concurrent requests. Fixed by making the view-limit claim atomic.

Ready to report or have a question?

[email protected]

Also see: threat model · verify Vaulted yourself · security.txt