Skip to content

Security: mqmalagris/ephemask

Security

SECURITY.md

Security Policy

Ephemask is a privacy-focused temporary email service. Reports of vulnerabilities are taken seriously and handled promptly.

Supported Versions

Only the latest deployment of main is supported. Older releases or forks receive no security backports.

Reporting a Vulnerability

Please do not open a public GitHub issue for security problems.

Send a detailed report to legal@ephemask.com. PGP key available on request.

Include:

  • Affected component (web, mobile, processor Lambda, API Lambda, Terraform module).
  • Steps to reproduce, including request payloads, headers, and any tokens used.
  • Impact assessment (data exposure, privilege escalation, denial of service, etc.).
  • Suggested remediation if you have one.

You will receive an acknowledgement within 72 hours. A timeline for triage and fix follows within 7 days.

Scope

In scope:

  • *.ephemask.com web application
  • api.ephemask.com REST API
  • apps/mobile React Native app
  • AWS infrastructure provisioned by terraform/
  • Webhook delivery, HMAC signing, TOTP implementation
  • DynamoDB access patterns and TTL handling

Out of scope:

  • Denial of service through legitimate API usage at high volume (covered by rate limiting)
  • Vulnerabilities in third parties Ephemask integrates with (Stripe, RevenueCat, AWS, Vercel, Google Analytics, AdSense) — report directly to the vendor
  • Social engineering of staff or users
  • Physical attacks against AWS data centres

Disclosure

Coordinated disclosure is preferred. After a fix ships to production, the reporter is credited in the release notes (with consent).

Reporters who follow this policy in good faith will not be subject to legal action.

Hardening Already in Place

  • HSTS with includeSubDomains, X-Frame-Options DENY, X-Content-Type-Options nosniff, strict CSP, restrictive Permissions-Policy.
  • Rate limiting (20 req/min free, 60 req/min premium).
  • Webhook payloads signed with HMAC-SHA256, secret per user.
  • TOTP (RFC 6238) optional second factor on premium accounts.
  • DynamoDB TTL on all inbox and message records; S3 lifecycle policy purges raw .eml within 24 hours.
  • Attachments served only with Content-Disposition: attachment and application/octet-stream; never rendered inline.
  • Inbox tokens are 32-byte hex; HTTP body of webhook deliveries never contains the email content.
  • API authentication checks ownership for every read endpoint (inbox token primary, user API key as ownership fallback).

There aren't any published security advisories