| Version | Supported |
|---|---|
| 2.15.x | ✅ |
| 2.14.x | ✅ |
| < 2.14 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to: security@vasic.digital
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-72 hours
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
The following are in scope for security reports:
- Yole Android application
- Yole Desktop application
- Yole iOS application
- Yole Web application
- Shared KMP module
- Network protocol implementations
- File encryption functionality
- Credential storage
- Third-party dependencies (report to upstream)
- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Encryption: AES-256 for file encryption
- Credentials: Platform-specific secure storage
- Android: EncryptedSharedPreferences
- Desktop: Java Preferences with encryption
- iOS: Keychain Services
- Web: Encrypted localStorage
- All cloud connections use HTTPS/TLS 1.2+
- Certificate pinning for cloud services
- No telemetry or data collection
- Offline-first architecture
- Static analysis with Detekt and KtLint
- Dependency scanning with OWASP Dependency-Check
- Secret scanning with Gitleaks
- Code quality analysis with SonarQube
Before submitting code:
- No hardcoded credentials or API keys
- Input validation for all user data
- Proper error handling (no stack traces to users)
- Secure random number generation
- No SQL injection vulnerabilities
- No path traversal vulnerabilities
- Proper permission checks
- Memory-safe operations
We follow responsible disclosure:
- Reporter notifies us privately
- We acknowledge and investigate
- We develop and test a fix
- We release the fix
- We credit the reporter (if desired)
- Details published after 90 days or fix release
- Security Email: security@vasic.digital
- PGP Key: Available upon request