keeholder-mkt

Security Policy

Project status

kp-poc is pre-1.0 and unaudited. It is not yet ready to hold real secrets. Do not use it as your daily password manager — the fixtures and test databases shipped in this repository exist purely for format verification.

A scoped third-party audit of the crypto and key-handling layers is planned for the v2.0 cycle, not v1.0. v1.0 leans on a small trust surface: no external Swift package dependencies in the cryptographic path, vendored Argon2 at a fixed commit, and zero network calls from the cryptographic or database-handling code. The v2.0 audit report and all findings (fixed or accepted) will be published alongside the v2.0 release.

Reporting a vulnerability

Please report security issues privately via one of these channels, in preference order:

  1. GitHub Security Advisories — open a draft advisory on this repository. This is the preferred channel once the repository is public; it keeps the report confidential until we coordinate a fix and disclosure.
  2. Emailneelagiri@outlook.com. Reports to this address are read by the maintainer.

Please include:

Please do not open a public GitHub issue for anything you believe has a security impact.

We aim to acknowledge reports within 72 hours and to provide a timeline for remediation within 7 days. Disclosure is coordinated — we’ll request an embargo window long enough to ship a fix.

Threat model

In scope

Out of scope

Key handling

Clipboard

Biometric authentication

Memory hygiene

Swift’s value semantics make true secure-memory handling difficult: String and Data are copied and moved by the runtime, with no reliable way to wipe all copies. Mitigations we apply:

We document these limits honestly rather than claiming guarantees the platform cannot deliver. mlocked memory regions for long-lived keys are being evaluated for a later release.

Dependencies

See docs/reference/dependencies.md for the complete dependency inventory — every third-party library, vendored C source, and first-party Apple framework used, with license and rationale.

The only non-Apple code in the shipping binary is the vendored phc-winner-argon2 reference implementation, pinned at a fixed commit hash. There are currently zero runtime Swift-package dependencies.