We take security seriously. If you discover a security vulnerability in CryptoServe, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email us at: info@cryptoserve.dev

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggested fixes (optional)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 1 week
• Fix Timeline: Depends on severity
  • Critical: 24-72 hours
  • High: 1-2 weeks
  • Medium: 2-4 weeks
  • Low: Next release cycle

This policy applies to:

• CryptoServe backend API
• Official Python and TypeScript SDKs
• Dashboard frontend
• Documentation site

• Third-party dependencies (report to respective maintainers)
• Social engineering attacks
• DoS attacks

When using CryptoServe:

1. Keep SDKs Updated: Always use the latest SDK version
2. Protect Master Key: Never commit the master key to version control
3. Use HTTPS: Always use TLS in production
4. Enable FIPS Mode: For regulated environments, enable FIPS_MODE=enabled
5. Review Audit Logs: Regularly review encryption/decryption activity
6. Rotate Keys: Use the key rotation features periodically

For detailed security information, see:

• Security Whitepaper
• Threat Model

We appreciate responsible disclosure and will acknowledge security researchers who report valid vulnerabilities (with permission).