Vulnerability disclosure
How to report a security issue in LUKSbox.
Where to send it
Email [email protected] with "LUKSbox" in the subject line.
For sensitive details, encrypt with the Penthertz security PGP key:
TBD - publishing alongside v1.0.
Until then, contact [email protected] first to exchange keys
out-of-band.
What to include
- Affected version(s) (
luksbox --versionoutput). - Summary of the issue + impact estimate (do you believe it leaks the MVK? Allows arbitrary file read? DoS only? etc.).
- Reproducer (a script, a sample vault file, or a step-by-step recipe). Don't worry about polishing - we'd rather have a rough reproducer fast.
- Whether the issue is currently being actively exploited (if known).
Response SLA
| Severity | First response | Patch ETA |
|---|---|---|
| Critical (key-recovery, sandbox escape) | <= 24 h | <= 7 days |
| High (auth bypass, undetected tampering) | <= 72 h | <= 14 days |
| Medium (DoS, info leak short of the secret) | <= 7 days | <= 30 days |
| Low (minor hardening, defence in depth) | <= 14 days | next release cycle |
Coordinated disclosure timeline
We follow standard responsible-disclosure practice:
- You report. We confirm receipt within 24-72 h.
- We investigate, develop a fix, and prepare a patch release.
- We coordinate a disclosure date with you (default: 90 days from initial report; sooner if the patch is ready and there's no active-exploitation risk).
- On disclosure day: patched release ships, advisory published, credit given to you (unless you prefer anonymity).
What we DON'T do
- Bug bounties (yet). We do credit reporters in release notes and audit reports.
- Private patch distribution. All security fixes ship as public releases at disclosure time.
- Embargo extensions for marketing convenience. If you find something serious and we can't patch in 90 days, we'll discuss with you - but the timeline is driven by user safety, not by product calendars.
Out of scope
These don't qualify as security issues for LUKSbox specifically:
- Vulnerabilities in libfido2, fuser, WinFsp, or other dependencies
- report those upstream first; we'll bump our pin once they patch.
- Side-channel attacks against your specific hardware (CPU, secure element) - vendor-side problem.
- "I forgot my passphrase, please recover my vault" - not a vulnerability; not a service we can provide. See Recovery.
- Social engineering, phishing, malware on your machine - all out-of-scope by design (no encryption tool can defend against an already-compromised host).