Security
Reporting a vulnerability
Email kerveros@agileturtles.gr. We acknowledge within 48 hours. We’ll work with you to confirm, fix, and coordinate disclosure.
Please don’t open public GitHub issues for security bugs — that gives us less runway to ship a fix before users are exposed.
Scope
In scope:
- The Kerveros desktop application binary (macOS, Windows, Linux)
- The source code in this repository — cryptographic correctness, IPC handlers, file-system operations, S3 client interactions
- The auto-update mechanism (Tauri updater configuration, signature verification)
- The license-key signing scheme
Out of scope:
- The marketing website (kerveros.agileturtles.gr) — report site issues to support, not security
- Third-party storage providers (Tigris, B2, AWS, etc.) — report to them directly
- Social engineering attempts against support staff
- Issues that require physical access to an unlocked, logged-in user’s machine
What we consider a vulnerability
- Bypasses of the encryption boundary (decrypting without the passphrase)
- Lock coordination flaws that allow concurrent edits to corrupt data
- Manifest poisoning that survives signature verification
- License-validation bypasses that don’t require patching the binary
- Updater attacks (forged updates, downgrade attacks, MITM during update download)
- RCE / sandbox escape via the Tauri WebView
- Sensitive data leakage via the optional Sentry telemetry pipeline
Coordinated disclosure timeline
- Day 0 — report received, acknowledged within 48 hours.
- Day 0–7 — triage, reproduction, severity assessment.
- Day 7–30 — fix developed, tested, released as a security update via the auto-updater.
- Day 60–90 — public disclosure (CVE if applicable, advisory + credit to the reporter).
If a vulnerability is being actively exploited in the wild, we will fix and disclose faster. If it’s a complex defense-in-depth issue with no exploit path, we may take longer than 90 days — we’ll keep you informed.
Bug bounty
We don’t run a formal bounty program yet (kerveros is a small operation). For meaningful, validated reports we will offer a free Team license, a credit on the website, and an honest €50–€500 thank-you depending on severity, paid via bank transfer or crypto. We don’t consider the absence of a bounty an excuse for late or noisy reports.
Security model
Files are encrypted with XChaCha20-Poly1305; the master key is derived from the team passphrase via Argon2id (65,536 KiB memory, 3 iterations, 1 lane). Each file gets a unique data key, wrapped with the master key (envelope encryption). The salt for key derivation is stored on the bucket; the passphrase is stored in the OS keychain on each user’s device and never transmitted.
Locks use atomic conditional puts (S3 If-None-Match: *); manifest writes are
guarded by a 30-second TTL distributed lock. Updates are signed with an ed25519 keypair
(Tauri minisign), checked against an embedded public key on every install. License keys are
issued and validated through Lemon Squeezy: the app activates a key online, then re-validates
periodically with a two-week offline grace window. The license key and a device name are the
only data Kerveros sends out — never file contents, names, or structure.
Full design documentation is maintained internally. Email kerveros@agileturtles.gr if you'd like access for a review or audit.