We take security seriously and appreciate responsible disclosure from the community.
If you discover a security vulnerability in KeeperHub, please report it privately:
OR
- 📧 Email: security@keeperhub.com
Please do NOT open public issues for security vulnerabilities.
This bug bounty / disclosure program applies to:
- KeeperHub backend services
- KeeperHub API
- KeeperHub CLI
- KeeperHub UI
- Workflow execution
- Authentication & authorization systems
Out of scope:
- Third-party dependencies (unless KeeperHub uses them incorrectly)
- Denial-of-service attacks without clear security impact
- Social engineering
- Physical attacks
Examples of valid security issues:
- Unauthorized access to user workflows or data
- Privilege escalation (user → admin, workflow → system)
- Authentication bypass
- API key leakage or misuse
- Secret exposure (wallet keys, tokens, credentials)
- Injection vulnerabilities (SQL, command, template, etc.)
- Workflow manipulation or unauthorized execution
- Do not access or modify real user data
- Do not disrupt production systems
- Avoid automated scanning that causes load
- Use test accounts where possible
To help us validate and triage reports efficiently, we strongly encourage including a proof of concept (PoC), such as:
- Steps to reproduce the issue
- Example API requests / responses
- Screenshots or logs
- Minimal reproducible code (if applicable)
A working PoC significantly speeds up our response time. If a PoC is not possible (e.g. for theoretical or design-level issues), please provide a clear explanation of the attack scenario and impact.
We aim to respond within:
- 72 hours: initial acknowledgement
- 7 days: triage decision
- 30 days: resolution target (depending on severity)
KeeperHub currently operates a responsible disclosure program.
Bug bounty rewards may be introduced in the future depending on severity and impact.
If you follow this policy in good faith, KeeperHub will not pursue legal action against you.