Only the latest release receives security fixes.

Please do not report security vulnerabilities through public GitHub issues.

To report a vulnerability, open a GitHub Security Advisory (private disclosure).

Include:

• A description of the vulnerability and its potential impact.
• Steps to reproduce or a proof-of-concept.
• Any suggested mitigations, if you have them.

You will receive a response within 5 business days. If the issue is confirmed, a fix will be released as soon as possible, typically within 30 days.

Issues in scope:

• Cryptographic weaknesses in the AES-GCM implementation or key generation.
• Nonce reuse or key material exposure.
• Path traversal or arbitrary file write vulnerabilities.
• Dependency vulnerabilities (go.sum / go.mod).

Issues out of scope:

• Social engineering attacks.
• Physical access attacks.
• Loss of the key file (this is documented as a user responsibility).