Kerveros
Home EULA Privacy

Security

Reporting a vulnerability

Email kerveros@agileturtles.gr. We acknowledge within 48 hours. We’ll work with you to confirm, fix, and coordinate disclosure.

Please don’t open public GitHub issues for security bugs — that gives us less runway to ship a fix before users are exposed.

Scope

In scope:

  • The Kerveros desktop application binary (macOS, Windows, Linux)
  • The source code in this repository — cryptographic correctness, IPC handlers, file-system operations, S3 client interactions
  • The auto-update mechanism (Tauri updater configuration, signature verification)
  • The license-key signing scheme

Out of scope:

  • The marketing website (kerveros.agileturtles.gr) — report site issues to support, not security
  • Third-party storage providers (Tigris, B2, AWS, etc.) — report to them directly
  • Social engineering attempts against support staff
  • Issues that require physical access to an unlocked, logged-in user’s machine

What we consider a vulnerability

  • Bypasses of the encryption boundary (decrypting without the passphrase)
  • Lock coordination flaws that allow concurrent edits to corrupt data
  • Manifest poisoning that survives signature verification
  • License-validation bypasses that don’t require patching the binary
  • Updater attacks (forged updates, downgrade attacks, MITM during update download)
  • RCE / sandbox escape via the Tauri WebView
  • Sensitive data leakage via the optional Sentry telemetry pipeline

Coordinated disclosure timeline

  • Day 0 — report received, acknowledged within 48 hours.
  • Day 0–7 — triage, reproduction, severity assessment.
  • Day 7–30 — fix developed, tested, released as a security update via the auto-updater.
  • Day 60–90 — public disclosure (CVE if applicable, advisory + credit to the reporter).

If a vulnerability is being actively exploited in the wild, we will fix and disclose faster. If it’s a complex defense-in-depth issue with no exploit path, we may take longer than 90 days — we’ll keep you informed.

Bug bounty

We don’t run a formal bounty program yet (kerveros is a small operation). For meaningful, validated reports we will offer a free Team license, a credit on the website, and an honest €50–€500 thank-you depending on severity, paid via bank transfer or crypto. We don’t consider the absence of a bounty an excuse for late or noisy reports.

Security model

Files are encrypted with XChaCha20-Poly1305; the master key is derived from the team passphrase via Argon2id (65,536 KiB memory, 3 iterations, 1 lane). Each file gets a unique data key, wrapped with the master key (envelope encryption). The salt for key derivation is stored on the bucket; the passphrase is stored in the OS keychain on each user’s device and never transmitted.

Locks use atomic conditional puts (S3 If-None-Match: *); manifest writes are guarded by a 30-second TTL distributed lock. Updates are signed with an ed25519 keypair (Tauri minisign), checked against an embedded public key on every install. License keys are issued and validated through Lemon Squeezy: the app activates a key online, then re-validates periodically with a two-week offline grace window. The license key and a device name are the only data Kerveros sends out — never file contents, names, or structure.

Full design documentation is maintained internally. Email kerveros@agileturtles.gr if you'd like access for a review or audit.

Kerveros · an agile turtles product
Home EULA Privacy