We currently provide security updates for:
| Version | Supported |
|---|---|
| 0.3.x | ✅ Yes |
| < 0.3 | ❌ No |
Please make sure you're running the latest stable version.
The security of our users and their communications is our highest priority.
If you discover a security vulnerability, please do not open a public GitHub issue.
Instead, report it responsibly using one of the methods below:
📧 Emails: security@vectorapp.io mail@jskitty.cat
🔓 GitHub's Private Vulnerability Disclosure: here (To confirm)
Please provide as much information as possible:
- Description of the vulnerability
- Steps to reproduce
- Proof-of-concept code (if applicable)
- Impact assessment
- Suggested mitigation (if known)
- Affected version(s)
If the vulnerability involves cryptography, authentication, message integrity, key exchange, or encryption bypass, please clearly mark it as CRITICAL in your report.
This policy covers vulnerabilities related to:
- Encryption and key management
- Authentication & authorization
- Message transport security
Out of scope:
- Issues in third-party services not maintained in this repository
- Social engineering attacks
- Physical device access (unless encryption guarantees are bypassed)
If reporting a cryptographic issue, please include:
- Clear technical explanation
- Practical exploit scenario
- Required attacker capabilities
- Real-world impact
At this time, we are unable to offer financial compensation for disclosures, as Vector is a volunteer-based project. This may change in the future as the project grows. We sincerely appreciate your understanding and support.
We appreciate responsible disclosure and the work of security researchers helping keep private communication secure.