Thank you for your interest in UltraLocked’s security. This project is maintained by a small team and does not currently have a formal audit or bug bounty program — but we take security seriously and welcome responsible reports.

If you discover a vulnerability or potential issue, please report it privately by email:

• Email: security@ultralocked.com

Please do not file GitHub issues for sensitive security problems.

This repository contains documentation and a public white paper. The portable encrypted bundle format and supporting tests are published separately in the public security-core repository. The commercial iOS app, subscription UI, App Store configuration, signing material, outreach tooling, and backend deployment state are outside the public scope.

Security reports are especially appreciated for:

• Inconsistencies or omissions in documented security guarantees
• Issues in the public security core
• Bypass of documented failsafes (duress codes, vault wipes, etc.)
• Potential cryptographic design flaws
• Forensic or side-channel weaknesses not already covered in the white paper

If an issue is confirmed, we will publish a plain-English disclosure (with your permission) in this repo once a fix or mitigation is in place.

We currently do not offer a bug bounty — but your contribution will be acknowledged if you'd like.

UltraLocked is built on a zero-trust philosophy. We appreciate your help making it stronger.