Security Policy

Reporting a Vulnerability

We take security seriously. If you discover a vulnerability in Ironlox, please report it to [email protected].

• Do not file a public issue for security vulnerabilities.
• Provide a detailed description with steps to reproduce.
• Include any relevant proof-of-concept code or screenshots.
• We will acknowledge your report within 48 hours.
• We follow a 90-day coordinated disclosure policy.
• Credit is given on our Hall of Fame for valid reports (opt-in).
• We do not offer a bug bounty program at this time.

Encryption Standards

All vault data is encrypted with AES-256-GCM before leaving the client device. Key derivation uses Argon2id (memory-hard, GPU-resistant). The server receives only encrypted blobs and a separate authentication hash derived with a different salt. The server never has access to plaintext data, master passwords, or encryption keys under any circumstances.

Infrastructure Security

• All traffic is encrypted in transit via TLS 1.3.
• API runs on Cloudflare Workers, benefiting from Cloudflare's DDoS protection and WAF.
• Database (D1) and blob storage (R2) are encrypted at rest by Cloudflare.
• Authentication uses short-lived JWT tokens (15-minute access, 7-day refresh).
• Rate limiting prevents brute-force and credential-stuffing attacks.
• Turnstile CAPTCHA protects signup and login endpoints from bots.

Supply Chain

We minimize third-party dependencies, particularly in the crypto package. All encryption uses the Web Crypto API (SubtleCrypto) — no third-party crypto libraries. Dependencies are pinned to exact versions and reviewed during updates.