Security Policy

Security is core to everything we build at Auxiora. This document describes our security architecture, vulnerability disclosure process, and how to report issues.

1. Security Architecture

1.1 Client-Side Encryption

All sensitive data (credentials, API keys, vault contents) is encrypted on your device before it ever leaves. We use:

• AES-256-GCM for authenticated encryption of vault contents.
• Argon2id for key derivation (64 MB memory cost, 3 iterations, 4 parallelism) — resistant to GPU and ASIC brute-force attacks.
• Secure memory zeroing — encryption keys are cleared from memory after use.

1.2 Zero-Trust Access Model

• Unknown senders receive a one-time pairing code (expires in 15 minutes).
• DM-based confirmation required for new connections.
• Per-channel allowlist authentication.
• No implicit trust — every access request is verified.

1.3 Tamper-Evident Audit Logs

• Chained SHA-256 hashes — modifying any entry breaks the chain.
• Automatic redaction of passwords, tokens, keys, and credentials in logs.
• Logs are append-only and cryptographically verifiable.

1.4 Zero-Knowledge Cloud

In cloud mode, we store only opaque ciphertext. Our servers never see plaintext vault data, encryption keys, or your master password. We cannot comply with decryption requests because we are technically unable to decrypt.

2. Vulnerability Disclosure

We follow a responsible disclosure model. If you discover a vulnerability, please report it privately so we can address it before public disclosure.

2.1 How to Report

• Email: security@auxiora.ai
• PGP key: available at https://auxiora.ai/.well-known/security.txt (key ID to be published)
• Preferred format: include steps to reproduce, impact assessment, and any proof-of-concept code.

2.2 What to Include

• Description of the vulnerability and its potential impact.
• Steps to reproduce (the more detail, the faster we can fix it).
• Affected component (client, server, API, encryption, etc.).
• Any supporting materials (screenshots, logs, PoC code).

3. Response Timeline

• Acknowledgment: within 24 hours of report.
• Initial assessment: within 72 hours.
• Fix development: critical issues targeted within 7 days; others within 30 days.
• Disclosure: coordinated with the reporter. We credit researchers (with permission) in our security advisories.

4. Scope

4.1 In Scope

• Authentication and authorization bypasses.
• Encryption weaknesses or key management flaws.
• Remote code execution (client or server).
• Cross-site scripting (XSS), SQL injection, and other injection attacks.
• Data leakage of plaintext secrets or credentials.
• Privilege escalation.
• Audit log tampering or chain-breaking.

4.2 Out of Scope

• Social engineering or phishing attacks against Auxiora employees.
• Denial-of-service (DoS/DDoS) attacks.
• Issues in third-party dependencies (report these upstream; let us know if they affect Auxiora).
• Issues requiring physical access to a user's device.
• Reports from automated scanners without a demonstrated impact.

5. Safe Harbor

We will not pursue legal action against researchers who:

• Act in good faith and follow this disclosure policy.
• Avoid accessing, modifying, or deleting other users' data.
• Do not disrupt service availability.
• Report findings promptly and provide reasonable time for remediation.

6. Security Best Practices for Users

• Use a strong, unique master password.
• Enable two-factor authentication when available.
• Keep your self-hosted deployment updated.
• Review audit logs periodically for unexpected access.
• Back up your encryption keys securely — we cannot recover them.

7. Contact

For security-related inquiries:
Email: security@auxiora.ai
PGP: key to be published at https://auxiora.ai/.well-known/security.txt

Auxiora LLC