CoraleVault CoraleVault - Free Open Source Password Manager v2025.11.6

Security Policy

Security policy and vulnerability disclosure process for CoraleVault

Security Policy

CoraleVault takes security seriously. This document outlines our security practices, supported versions, and how to responsibly report security vulnerabilities.

Supported Versions

We actively support the following versions with security updates:

VersionSupportedStatus
2025.11.5✅ YesCurrent release
2025.11.x✅ YesRecent stable
2025.10.2+✅ YesStill maintained
< 2025.10.2❌ NoPlease upgrade (legacy KDF removed)

Recommendation: Always use the latest version for the best security.

Security Features

CoraleVault implements multiple layers of security:

Cryptographic Protection

  • Encryption: AES-256-CBC (FIPS 197 approved)
  • Authentication: HMAC-SHA256 (prevents tampering)
  • Key Derivation: PBKDF2-HMAC-SHA256 with 600,000+ iterations
  • Key Separation: HKDF-SHA256 for independent encryption/MAC keys
  • Random Generation: OS cryptographic sources (CryptGenRandom/SecRandomCopyBytes/urandom)

Memory Protection

  • Memory Locking: VirtualLock (Windows) / mlock (Linux/macOS)
  • Secure Clearing: Memory wiped before deallocation
  • No Swap: Passwords prevented from swapping to disk
  • Constant-Time Operations: Prevents timing attacks

Attack Mitigation

  • Rate Limiting: Exponential backoff after failed password attempts
  • Brute-Force Protection: 600,000+ PBKDF2 iterations slow down attacks
  • No Password Recovery: No backdoors = maximum security
  • Input Validation: Path traversal, JSON injection, file size limits

Code Quality

  • Modern C++17: Memory-safe smart pointers, RAII
  • Zero Memory Leaks: Verified with Valgrind
  • Static Analysis: Regular security scanning
  • Open Source: Public code review on GitHub

Reporting a Vulnerability

How to Report

DO NOT open a public GitHub issue for security vulnerabilities.

Instead, please email us privately:

📧 Email: dev@coralesoft.nz 🔒 Subject: SECURITY: CoraleVault Vulnerability ⏱️ Response Time: Within 48 hours

What to Include

A good security report includes:

  1. Description of the vulnerability

    • What is the issue?
    • What component is affected?

  2. Impact Assessment

    • What can an attacker do?
    • How severe is it?

  3. Steps to Reproduce

    • Detailed steps to trigger the vulnerability
    • Environment details (OS, version)

  4. Proof of Concept (if applicable)

    • Code, screenshots, or logs
    • Do NOT include actual exploits for critical vulnerabilities

  5. Suggested Fix (optional)

    • If you know how to fix it, we’d love to hear!

  6. Credit Preference

    • How would you like to be credited? (Name, handle, or anonymous)

Example Report

Subject: SECURITY: Buffer Overflow in Password Field

Description:
A buffer overflow exists in the password input field that could allow
arbitrary code execution.

Impact:
High - An attacker could execute arbitrary code if they can get a user
to paste a specially crafted password.

Steps to Reproduce:
1. Open CoraleVault
2. Create new entry
3. Paste a 10,000 character password
4. Application crashes

Environment:
- CoraleVault 2025.11.5
- Windows 11 Pro 23H2
- x86_64

Credit:
Jane Doe (jane@security.example)

Disclosure Process

We follow coordinated disclosure (also called responsible disclosure).

Timeline

  1. Day 0: You report the vulnerability
  2. Day 1-2: We acknowledge receipt and begin investigation
  3. Day 3-7: We confirm the issue and assess severity
  4. Day 7-30: We develop, test, and deploy a fix
  5. Day 30+: Public disclosure (coordinated with reporter)

Severity Levels

SeverityExamplesResponse Time
CriticalRemote code execution, password leakage24-48 hours
HighLocal privilege escalation, encryption bypass3-7 days
MediumDoS, information disclosure7-14 days
LowMinor information leak, UI spoofing14-30 days

Communication

  • Initial Response: Within 48 hours
  • Status Updates: Every 7 days until resolved
  • Fix Released: Security advisory published
  • CVE Assignment: For high/critical vulnerabilities

Bug Bounty Program

Status: ❌ Not currently available

We are a small open-source project and do not have a formal bug bounty program at this time. However:

  • ✅ We publicly credit security researchers (unless they prefer anonymity)
  • ✅ We provide recognition in release notes
  • ✅ We may send swag/merch for significant findings (when available)

In the future, we hope to establish a proper bug bounty program.

Out of Scope

Please do not report the following (they are not considered security vulnerabilities):

By Design

  • No password recovery - This is intentional for security
  • PBKDF2 slowness - Intentional (prevents brute-force)
  • Unsigned executables - Code signing costs $400/year (we’re open source)
  • No automatic updates - By design (user control)

Expected Behavior

  • Antivirus false positives - Submit to antivirus vendors, not us
  • Gatekeeper warnings (macOS) - Expected for unsigned apps
  • SmartScreen warnings (Windows) - Expected for unsigned apps

Social Engineering

  • Phishing attacks - Educate users, not a software vulnerability
  • Physical access attacks - Assumes attacker has your computer
  • Weak user passwords - User responsibility

Third-Party Issues

  • Vulnerabilities in dependencies (wxWidgets, Crypto++) - Report to upstream
  • OS vulnerabilities - Report to Microsoft/Apple/Linux vendors
  • Cloud storage vulnerabilities - Report to Dropbox/Google/etc.

Security Best Practices for Users

CoraleVault is secure, but you need to use it securely:

Strong Master Password

  • ✅ Use 16+ characters
  • ✅ Mix uppercase, lowercase, numbers, symbols
  • ✅ Use a passphrase (easier to remember, hard to guess)
  • ❌ Don’t reuse passwords
  • ❌ Don’t use dictionary words

Backup Your Vault

  • ✅ Keep 2+ backups in different locations
  • ✅ Test backups regularly
  • ✅ Cloud storage is safe (vault is encrypted)

Device Security

  • ✅ Use full-disk encryption (BitLocker, FileVault)
  • ✅ Lock your computer when away
  • ✅ Keep OS and antivirus updated
  • ✅ Don’t install CoraleVault on compromised systems

Operational Security

  • ✅ Lock vault when not in use (Ctrl+L)
  • ✅ Close CoraleVault when done
  • ✅ Be careful with screen sharing
  • ❌ Don’t store master password digitally

See our Security Guide for more tips.

Security Audits

Internal Audits

  • October 2025 - Comprehensive security hardening
    • 6 critical vulnerabilities fixed
    • All CRITICAL and HIGH priority issues resolved

External Audits

  • Planned - Independent security audit by third-party firm
    • Target: 2026
    • Will be publicly published

Community Review

  • Ongoing - Open source allows continuous community review
  • View source code

Past Security Issues

We believe in transparency. Here are security issues we’ve fixed:

2025.11.4 - Critical Password Memory Leaks

  • Severity: Critical
  • Impact: Passwords could remain in unencrypted memory
  • Fixed: SecureString used throughout, memory properly zeroed
  • Credit: Internal security audit

2025.10.2 - Password Comparison Timing Attack

  • Severity: High
  • Impact: Attackers could infer password information via timing
  • Fixed: Constant-time password comparison
  • Credit: Internal security audit

2025.10.2 - Password Generator Modulo Bias

  • Severity: High
  • Impact: Weak passwords due to non-uniform distribution
  • Fixed: Rejection sampling for perfect uniformity
  • Credit: Internal security audit

See Changelog for complete history.

Security Roadmap

Planned security improvements:

2026.x

  • ✅ Two-factor authentication (TOTP) for app unlock
  • ✅ Hardware key support (YubiKey, FIDO2)
  • ✅ Biometric unlock (fingerprint, Face ID)
  • ✅ External security audit
  • ✅ Code signing certificates

Future

  • Argon2id KDF option (memory-hard)
  • Hardware security module (HSM) support
  • Audit logging (enterprise)
  • Security key enrollment

Contact

Security Team: dev@coralesoft.nz GitHub: github.com/Coralesoft/CoraleVault Security Page: /security/

Response Time: Within 48 hours for security reports

PGP Key (Optional)

For extra-sensitive reports, you may encrypt your email with our PGP key:

Key ID: A483AC0E3C3B7E51 Fingerprint: (see GPG-PUBLIC-KEY.asc)

1
2
3

curl -O https://raw.githubusercontent.com/Coralesoft/PasswordVault/main/GPG-PUBLIC-KEY.asc
gpg --import GPG-PUBLIC-KEY.asc
gpg --encrypt --recipient dev@coralesoft.nz your-report.txt

Safe Harbor

We will not pursue legal action against security researchers who:

  • ✅ Report vulnerabilities responsibly
  • ✅ Do not exploit vulnerabilities
  • ✅ Do not access others’ data
  • ✅ Follow coordinated disclosure

No Warranty

CoraleVault is provided “as-is” under GPL v3 with no warranty. See Terms of Service for details.

This security policy was last updated on November 4, 2025.

Thank you for helping keep CoraleVault secure! 🔒