Vaulted

Bug Bounty & Responsible Disclosure

We welcome scrutiny. Find a real security issue, get public credit and a permanent Hall of Fame listing.

Policy last updated 2026-04-27 · Maxim Novak

The honest pitch

Vaulted is an independently-built free tool. We don't pay cash bounties yet — pretending otherwise would be misleading. Instead, valid reports get fast acknowledgment, public credit on this page, a CVE assignment when applicable, and our genuine thanks. If you're hunting for paid bounties, this isn't your venue. If you care about end-to-end-encrypted tools doing what they claim, please dig in.

What you get for a valid report

  • Acknowledgment within 48 hours. Real human, real reply.
  • Permanent Hall of Fame listing on this page with your name (or handle), the date, and a short description of the issue once fixed and disclosed.
  • CVE coordination if the finding warrants one — we'll work with you on reservation and publication timing.
  • Coordinated disclosure on a timeline that works for you. We'll fix first, then publish details with attribution.
  • A genuine thank-you note from a real person. If cash bounties become available later, retroactive payments to prior researchers will be considered fairly.

In scope

Cryptographic implementation

Any flaw in client-side AES-256-GCM, key generation, IV reuse, URL-fragment handling, or passphrase wrapping. The crypto is the product — bugs here are the highest-priority reports.

Authentication / authorization bypass

Reading or modifying secrets without the correct ID and key. Bypassing view limits, expiry, or passphrase prompts.

Data exposure

Server-side leakage of plaintext, keys, IVs in unexpected places, ciphertext, view counts, IP addresses, or any other data that should not be observable.

Server-side vulnerabilities

API route handler bugs, rate-limit bypass, injection, deserialization issues, SSRF, server-side request smuggling.

Infrastructure misconfiguration

Anything in the production deployment of vaulted.fyi that exposes data or undermines the security model.

Supply-chain integrity

Compromised or tampered build artifacts, missing SRI where it matters, dependency-confusion attacks against our published npm packages.

Out of scope

Volumetric or denial-of-service attacks

Don't try to take the site down. Rate-limit bypass bugs are in scope; flooding is not.

Spam / abuse of create-secret

Generating large numbers of secrets is not a vulnerability.

Social engineering

Of staff, contributors, or users. Phishing the security inbox does not count.

Vulnerabilities in third-party services

Issues in Vercel, Upstash, Cloudflare, etc. should be reported upstream. We're happy to coordinate if the issue affects Vaulted specifically.

Issues requiring a compromised endpoint

A compromised browser, malicious extension, or keylogger on the user's device is acknowledged in our threat model — see threat model. These are not vulnerabilities in Vaulted.

Best-practice findings without impact

"Header X is missing" or "cookie attribute Y" without a demonstrated security impact. Tell us anyway — we may fix it — but it won't qualify for Hall of Fame.

Rules of engagement

  • Test only with secrets you create yourself. Don't access or attempt to access other users' data.
  • Stop and report at the first sign of a vulnerability. Don't pivot, exfiltrate, persist, or escalate.
  • Don't publish details until we've had a reasonable opportunity to fix — typically 90 days, but we aim faster.
  • Automated scanning is fine within reasonable rate limits. If your tool generates significant traffic, throttle it.
  • Test against production at your own risk. We won't pursue action against good-faith research that follows these rules.

Process & timelines

  1. You report via [email protected]. Encrypted email is welcome.
  2. We acknowledge within 48 hours and assign a tracking reference.
  3. Triage within 5 days — we confirm whether the finding is in scope and reproducible.
  4. Fix & deploy on a timeline proportional to severity (hours for critical, days for high, weeks for lower).
  5. Coordinated disclosure with attribution to you, plus Hall of Fame entry.

Hall of Fame

No entries yet. Be the first — find something real and we'll put your name here permanently.

Ready to report or have a question?

[email protected]

Also see: threat model · verify Vaulted yourself · security.txt