If you discover a security vulnerability in money, please report it responsibly:
- Do not open a public GitHub issue.
- Email the maintainer at the address listed in the repository profile, or use GitHub's private vulnerability reporting.
- Include a description of the vulnerability, steps to reproduce, and the potential impact.
- You should receive an acknowledgement within 7 days.
money handles sensitive data including financial credentials and an encrypted local database. The following are in scope:
- Credential leakage (API keys, access tokens, encryption keys)
- Bypass of the encrypted SQLite store (Adiantum VFS)
- Unauthorized data access through CLI commands
- Injection or data corruption via provider adapters or import sources
- Secrets written to plaintext (config files, logs, stderr, JSON output)
- Encrypted at rest. The SQLite database uses Adiantum VFS encryption. The encryption key is a 32-byte random value stored in the user's
.envfile with0600permissions. - No telemetry.
moneydoes not phone home, embed analytics, or send data to any server other than the user-configured financial providers. - No server. There is no long-running process, no listening ports, and no remote attack surface from the application itself.
- BYOK credentials. Provider API keys are the user's responsibility.
moneystores them locally and never transmits them to any party other than the configured provider's API.
- The Adiantum VFS provides encryption at rest (confidentiality), not database-level tamper detection (integrity/authentication). See ADR-0001 for the full rationale.
moneydoes not validate TLS certificates beyond the Go standard library defaults.