Responsible disclosure
If you believe you found a security issue in UltraLocked or its public security components, please report it privately first.
How to report
Email security@ultralocked.com. If GitHub private vulnerability reporting is enabled on the public repository, you may use that channel too.
Scope
Reports are in scope for the public security components, documented architecture, .ultralocked bundle format, vault encryption behavior, transfer model, and security documentation. App Store account configuration, unreleased features, and unrelated infrastructure are not part of the public review scope unless they directly affect user vault security.
Safe harbor
Good-faith testing that avoids privacy violations, service disruption, data destruction, and public disclosure before coordination is welcome. Do not access or modify data that is not yours.
What to include
Include a concise summary, affected component or URL, steps to reproduce, expected impact, required attacker capabilities, and proof-of-concept files only when they are safe to share.
Response expectations
We aim to acknowledge valid reports within 5 business days and will coordinate next steps based on severity, reproducibility, and mitigation complexity.
Acknowledgement policy
We credit good-faith researchers when appropriate and when they want public credit. UltraLocked does not currently operate a paid bug bounty unless announced separately in writing.