Security

Responsible Disclosure Policy

SealedKeys is a zero-knowledge secrets vault. Security is not a feature — it is the product. We genuinely welcome reports from researchers who find vulnerabilities. This policy explains how to report safely and what you can expect from us in return.

Safe Harbour

If you discover and report a security vulnerability in good faith and in compliance with this policy, we will not pursue civil or criminal action against you, and we will not refer you to law enforcement. We consider your research to be authorised under the Computer Misuse Act 1990 and equivalent legislation in your jurisdiction, provided you act within the scope below.

We will work with you to understand and resolve the issue quickly. We ask that you give us a reasonable opportunity to fix the vulnerability before any public disclosure.

Scope

In scope
  • ·sealedkeys.com — web application, authentication, session management
  • ·API endpoints (vault items, MFA, organisations, audit log)
  • ·Client-side cryptography (key derivation, encryption, decryption)
  • ·Zero-knowledge architecture violations — anything that causes plaintext secrets to reach the server
  • ·Authentication bypass, privilege escalation, broken access control
  • ·Injection vulnerabilities (XSS, SQL, command injection)
  • ·2FA / TOTP implementation weaknesses
  • ·CSRF, CORS, clickjacking
Out of scope
  • ·Denial of service attacks (DoS / DDoS) against production infrastructure
  • ·Social engineering or phishing attacks against SealedKeys staff or users
  • ·Physical access attacks
  • ·Vulnerabilities in third-party services or libraries we use (report to them directly)
  • ·Rate limiting on non-authentication endpoints
  • ·Missing HTTP headers with low or no impact
  • ·Findings from automated scanners without manual verification
  • ·Reports that require a victim to install malware or compromise their own device

Rules of Engagement

·Only test against accounts you own or have explicit permission to test.

·Do not access, modify, or delete data belonging to other users.

·Do not perform testing that degrades the availability of the service.

·Do not use automated scanners against production at high volume — contact us first.

·Stop testing and report immediately if you access data that appears to belong to another user.

·Do not disclose the vulnerability publicly until we have confirmed a fix is deployed, or 90 days have passed from your report — whichever comes first.

How to Report

Send your report to security@sealedkeys.com. Please include:

  • ·A clear description of the vulnerability and its potential impact
  • ·Steps to reproduce the issue (proof of concept is helpful but not required)
  • ·Any affected URLs, parameters, or code paths you identified
  • ·Your suggested severity (Critical / High / Medium / Low)

For highly sensitive reports, you may encrypt your email using our PGP key — contact us first to request it.

Response Timeline

48 hours

Initial acknowledgement

We confirm receipt of your report.

7 days

Triage update

We confirm severity and whether we can reproduce the issue.

90 days

Disclosure deadline

We aim to have a fix deployed well before this.

Recognition

We do not currently operate a paid bug bounty programme. We are an early-stage product and are honest about that.

What we will do: acknowledge your contribution publicly (with your permission) in our security hall of fame, provide a clear written record that you acted in good faith under this policy, and give you early access to new features.

For critical vulnerabilities that have material impact on user security, we will discuss a discretionary payment on a case-by-case basis.

Questions about this policy?

security@sealedkeys.com

This policy is effective from 19 May 2026 and may be updated. Material changes will be announced on this page.