Aegis is a post-quantum local-first keyring. Because it manages sensitive cryptographic keys, security is our highest priority. We take all vulnerability reports seriously and request they be disclosed privately.

Only the latest release is actively supported with security updates.

If you discover a security vulnerability in Aegis (such as a memory leak, parser crash, cryptographic defect, or data exposure), please report it privately. Do not create a public issue.

Please report vulnerabilities via email:

• Contact: security@aegis.io (or via the project maintainers' documented contacts)

To ensure the safety of security disclosures, we recommend encrypting your email using PGP or Aegis Armor. You can find the public key for security reports under the tests/fixtures/fake/ directory or pinned in our release page.

To help us triage and patch the issue quickly, please include:

1. A detailed description of the vulnerability.
2. Step-by-step instructions to reproduce the issue (including any fake keyring files or payloads).
3. The potential impact (e.g., local database decryption, UI bypass, denial of service).
4. Any suggested remediations or patches.

1. Acknowledgement: We will acknowledge receipt of your report within 48 hours.
2. Triage & Patching: We will work to verify the vulnerability and develop a patch. We may contact you for clarification or additional details.
3. Disclosure: Once a patch is released, we will publish a security advisory and credit you for the discovery (unless you request anonymity). We ask that you give us a reasonable amount of time to release a patch before disclosing the issue publicly (typically 90 days).