© 2026 José Carrillo
SECURITY POLICY
Security Policy
How to report vulnerabilities and our security architecture. Covers the web application and the official CLI (zefer-cli).
Reporting a Vulnerability
Please do not open a public issue for security vulnerabilities. Report responsibly:
- GitHub Security Advisory: Report a vulnerability
- Telegram: @carrilloapps
What to include
- Description of the vulnerability
- Steps to reproduce
- Affected component (e.g., crypto.ts, zefer.ts)
- Potential impact (data exposure, encryption bypass, etc.)
- Suggested fix (if applicable)
Response timeline
Acknowledgment48h
Initial assessment7 days
Fix releaseASAP
In scope
- +Cryptographic weaknesses (AES-256-GCM, PBKDF2-SHA256)
- +Key derivation flaws
- +Authentication bypass (secret question, dual key, reveal key)
- +Information leakage from the public header
- +XSS, injection, or other OWASP Top 10 vulnerabilities
- +Privacy violations (unintended data transmission)
- +zefer-cli: npm package, standalone binaries, and MCP server
Out of scope
- -localStorage attempt tracking bypass
- -Expiration bypass via system clock manipulation
- -IP restriction bypass via JavaScript modification or VPN
- -Browser memory inspection during active session
Security Architecture
Zefer is a 100% client-side encryption tool, both on the web and in the CLI. No plaintext, passphrases, or encryption keys ever leave the browser or your machine. Both share the same cryptographic parameters and binary format.
| Primitive | Algorithm | Parameters |
|---|---|---|
| Symmetric encryption | AES-256-GCM | 256-bit key, 96-bit IV, 128-bit auth tag |
| Key derivation | PBKDF2-SHA256 | 300k/600k/1M iterations, 256-bit salt |
| Answer hashing | PBKDF2-SHA256 | 100,000 iterations |
| Random generation | crypto.getRandomValues | OS-level CSPRNG |