Security & Responsible Disclosure

How to report issues

Preferably by email to security@heritavo.com. If that channel is unreachable, you can also reach us at support@heritavo.com.

Machine-readable version of this policy: /.well-known/security.txt.

What to include in your report

• A short description of the vulnerability and the affected component.
• Reproduction steps (request/response, URL, account ID where applicable).
• An impact assessment and the preconditions an attacker needs.
• Optional: a remediation suggestion.

What we commit to

• We confirm receipt within 72 hours.
• We provide a first status update within 7 days.
• We will not pursue legal action against researchers who act in good faith, adhere to this policy, and do not exfiltrate real user data.
• On request, we credit you in a public Hall of Fame once the issue is fixed.

What we ask of you

• Do not use destructive techniques (DoS, data manipulation, mass account creation) — if you need proof, create your own test account.
• Do not access other users' data. If you can reach real data, stop immediately and report it.
• Disclose the vulnerability only after a fix or after 90 days — whichever comes first.

Scope

In scope are all Heritavo-operated hosts under heritavo.com. Other Heritavo domains (e.g. heritavo.ch, heritavo.de) are mere redirects to heritavo.com and have no separate scope. Out of scope are linked third parties, pure spam/phishing reports, and automated scanner findings without concrete impact.

Zero-knowledge model

Heritavo encrypts vault contents client-side before upload. The server has no access to the master key. Even a full database leak gives an attacker no access to decrypted vault data — provided the user password is strong enough to resist Argon2id brute force. Findings that break this invariant we handle with the highest priority.