• Algorithm: AES-256-GCM
• Key Derivation: PBKDF2 with 100,000 iterations
• IV: Random 12-byte initialization vector per encryption
• Salt: Fixed application salt (consider user-specific in production)

• Hashing: SHA-256 for all rule content
• Verification: Checksums stored with encrypted data
• Immutability: Rules cannot be modified after creation

• Location: Browser IndexedDB (local only)
• Format: Encrypted blobs only
• Plaintext: Never stored, only in memory during active session

• Fetch API: Disabled at runtime
• XMLHttpRequest: Disabled at runtime
• WebSocket: Disabled at runtime
• CSP: Content Security Policy enforced

DO NOT open a public issue for security vulnerabilities.

1. Email: Send details to [your-email@example.com]

2. Include:

   • Description of vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

3. Response Time:

   • Initial response: 48 hours
   • Status update: 7 days
   • Fix timeline: Depends on severity

• Acknowledgment: We'll confirm receipt
• Investigation: We'll verify the issue
• Fix: We'll develop and test a patch
• Disclosure: Coordinated disclosure after fix
• Credit: You'll be credited (if desired)

• Use 16+ character passwords
• Include uppercase, lowercase, numbers, symbols
• Never reuse passwords
• Store master password securely offline

• Encrypt backup files before cloud storage
• Store backups in multiple secure locations
• Test restore procedures regularly
• Shred old printed documents

• Lock vault when not in use
• Use on trusted devices only
• Keep browser updated
• Clear browser cache periodically
• Don't share your device while unlocked

• Lock computer when away
• Store printed PDFs in safe
• Destroy old backups securely
• Don't photograph screen with sensitive data

• IndexedDB can be cleared by user/browser
• No protection against physical device access
• Relies on browser security model

• Fixed salt (not user-specific)
• Consider implementing per-user salts
• PBKDF2 iterations could be higher

• Lost password = lost data
• No backdoor or recovery mechanism
• This is by design (zero-knowledge)

• Depends on browser's Web Crypto API
• Vulnerable to browser exploits
• Keep browser updated

✅ Network interception (offline-only) ✅ Unauthorized access (encryption) ✅ Data tampering (checksums) ✅ Casual snooping (locked vault)

❌ Physical device access (full disk encryption recommended) ❌ Keyloggers (use trusted devices) ❌ Browser vulnerabilities (keep updated) ❌ Rubber-hose cryptanalysis (don't use under duress)

Future improvements under consideration:

• User-specific salts
• Argon2 key derivation
• Hardware security key support
• Encrypted backup with separate password
• Auto-lock after inactivity
• Clipboard clearing
• Memory wiping on lock

• Last Audit: Not yet audited
• Status: Community review only
• Recommendation: Use for personal data only, not for critical secrets

This software:

• Does NOT collect telemetry
• Does NOT transmit data
• Does NOT store passwords
• Does NOT have backdoors
• IS open source (auditable)

This software is provided "as is" without warranty. Users are responsible for:

• Choosing strong passwords
• Maintaining backups
• Securing their devices
• Understanding the limitations

Use at your own risk. Always maintain offline backups of critical data.

Security is a shared responsibility. Stay vigilant!