Cipher Host being a privacy-focused company, security is, obviously, quite important to us. We try our best to take security seriously around here.
This security policy outlines how to report vulnerabilities, what to expect from our team, and how we handle security-related information.
Thank you for taking the time to report an issue to us.
In general, we actively maintain and provide security updates for:
| Version | Supported |
|---|---|
| latest | ✅ |
| < latest | ❌ |
We strongly recommend using the latest version of any of our projects to ensure you have all security patches.
For sensitive security issues, please email us at security@cipher.host and include "SECURITY" in the subject line.
While email is our preferred method, you may also use GitHub's security advisory feature by clicking the Security tab in the repository with the vulnerability, and then Report a vulnerability.
You should not report issues on public GitHub issues or in other public spaces!
Please provide:
- Clear description of the vulnerability.
- Steps to reproduce.
- Potential impact.
- Affected versions.
- Any relevant proof-of-concept code.
Following our privacy-first approach:
- Submit only essential information needed to understand and verify the vulnerability.
- Avoid including personal data or sensitive production data.
- Redact any logs or screenshots to remove identifiable information.
When you submit a security report, we commit to:
- Acknowledgment: Confirm receipt within 24 hours.
- Assessment: Provide initial assessment within 72 hours.
- Communication: Keep you informed of our progress.
- Protection:
- Handle your report confidentially.
- Never share your personal information.
- Delete report data once resolved.
We reserve the right to ignore low-effort reports such as these generated by automated tools or LLMs.
We follow responsible disclosure principles:
- Security issues are handled confidentially until patched.
- Reporters receive credit (if desired) after patch release.
- Public disclosure timing is coordinated with reporters.
- Full disclosure happens after patch availability.
For general security questions, contact security@cipher.host.
When in doubt about security impact, err on the side of reporting.