If you discover a security vulnerability in AnonForge, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
-
Email: Send details to the maintainers via GitHub private vulnerability reporting:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Provide a detailed description
-
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Assessment: Within 7 days
- Fix: As soon as practically possible, targeting 30 days for critical issues
The following are in scope:
- Encryption weaknesses (SQLCipher, Keystore usage)
- Data leakage (logs, memory, screenshots)
- Authentication bypass (biometric, PIN)
- Insecure data storage
- API key exposure
- Any OWASP Mobile Top 10 vulnerability
- Social engineering attacks
- Vulnerabilities in third-party services (SimpleLogin, etc.)
- Physical access attacks requiring an unlocked device
- Denial of service on the local device
For details on AnonForge's security architecture, see the Security section in the README.
| Version | Supported |
|---|---|
| Latest release | ✅ |
| Previous releases | ❌ (upgrade recommended) |
Thank you for helping keep AnonForge secure. 🛡️