Security

Reporting a vulnerability

Email kerveros@agileturtles.gr. We acknowledge within 48 hours. We’ll work with you to confirm, fix, and coordinate disclosure.

Please don’t open public GitHub issues for security bugs — that gives us less runway to ship a fix before users are exposed.

Scope

In scope:

• The Kerveros desktop application binary (macOS, Windows, Linux)
• The source code in this repository — cryptographic correctness, IPC handlers, file-system operations, S3 client interactions
• The auto-update mechanism (Tauri updater configuration, signature verification)
• The license-key signing scheme

Out of scope:

• The marketing website (kerveros.agileturtles.gr) — report site issues to support, not security
• Third-party storage providers (Tigris, B2, AWS, etc.) — report to them directly
• Social engineering attempts against support staff
• Issues that require physical access to an unlocked, logged-in user’s machine

What we consider a vulnerability

• Bypasses of the encryption boundary (decrypting without the passphrase)
• Lock coordination flaws that allow concurrent edits to corrupt data
• Manifest poisoning that survives signature verification
• License-validation bypasses that don’t require patching the binary
• Updater attacks (forged updates, downgrade attacks, MITM during update download)
• RCE / sandbox escape via the Tauri WebView
• Sensitive data leakage via the optional Sentry telemetry pipeline

Coordinated disclosure timeline

• Day 0 — report received, acknowledged within 48 hours.
• Day 0–7 — triage, reproduction, severity assessment.
• Day 7–30 — fix developed, tested, released as a security update via the auto-updater.
• Day 60–90 — public disclosure (CVE if applicable, advisory + credit to the reporter).

If a vulnerability is being actively exploited in the wild, we will fix and disclose faster. If it’s a complex defense-in-depth issue with no exploit path, we may take longer than 90 days — we’ll keep you informed.

Bug bounty

We don’t run a formal bounty program yet (kerveros is a small operation). For meaningful, validated reports we will offer a free Team license, a credit on the website, and an honest €50–€500 thank-you depending on severity, paid via bank transfer or crypto. We don’t consider the absence of a bounty an excuse for late or noisy reports.

Security model

Files are encrypted with XChaCha20-Poly1305; the master key is derived from the team passphrase via Argon2id (65,536 KiB memory, 3 iterations, 1 lane). Each file gets a unique data key, wrapped with the master key (envelope encryption). The salt for key derivation is stored on the bucket; the passphrase is stored in the OS keychain on each user’s device and never transmitted.

Locks use atomic conditional puts (S3 If-None-Match: *); manifest writes are guarded by a 30-second TTL distributed lock. Updates are signed with an ed25519 keypair (Tauri minisign), checked against an embedded public key on every install. License keys are independent ed25519-signed payloads with their own embedded public key.

Full design documentation is maintained internally. Email kerveros@agileturtles.gr if you'd like access for a review or audit.