We take the security of DOFTool seriously. If you discover a security vulnerability, please report it responsibly.
Please do NOT open public GitHub issues for security vulnerabilities.
Instead, report vulnerabilities through one of these channels:
-
GitHub Security Advisories (Preferred)
- Go to Security Advisories
- Click "Report a vulnerability"
- Provide detailed information about the issue
-
Email
- Send details to: artur@sendyka.dev
- Use subject line:
[SECURITY] DOFTool Vulnerability Report - If possible, encrypt your message (PGP key available on request)
Please provide as much information as possible:
- Type of vulnerability (e.g., encryption flaw, data leak, XSS, injection)
- Affected components (e.g., EncryptionService, sync protocol, IPC)
- Steps to reproduce the vulnerability
- Potential impact of the vulnerability
- Suggested fix (if you have one)
- Your contact information for follow-up questions
- Acknowledgment: We will acknowledge receipt within 48 hours
- Assessment: We will assess the vulnerability and its impact
- Updates: We will keep you informed of our progress
- Fix: We will work on a fix and coordinate disclosure
- Credit: We will credit you in the release notes (unless you prefer anonymity)
- We follow responsible disclosure practices
- We aim to release fixes within 90 days of report
- We will coordinate public disclosure with the reporter
- We will not take legal action against good-faith security researchers
DOFTool implements a zero-knowledge, end-to-end encrypted architecture:
| Purpose | Algorithm |
|---|---|
| Symmetric Encryption | XChaCha20-Poly1305 |
| Asymmetric Encryption | X25519 + XSalsa20-Poly1305 |
| Key Derivation | Argon2id |
| Digital Signatures | Ed25519 |
| Hashing | BLAKE2b |
- End-to-End Encryption: All data is encrypted before leaving the device
- Zero Knowledge: No server or relay can read family data
- Local-First: Data stays on your devices
- Forward Secrecy: Session keys protect against future compromise
- Quantum Computing: Current algorithms are not quantum-safe
- Device Security: If a device is compromised, local data may be exposed
- Admin Trust: Family admins have full access by design
For the complete security model, see docs/SECURITY.md.
- Use a strong passphrase when creating a family
- Keep your devices secure with up-to-date OS and security patches
- Share invite links securely - don't post them publicly
- Review family members periodically and remove untrusted devices
- Export backups regularly to protect against data loss
We thank the following security researchers for their responsible disclosures:
No disclosures yet - be the first!
Thank you for helping keep DOFTool and its users safe!