SeedTools Suite is designed for offline, deterministic, and high‑security environments.
We take security seriously and appreciate responsible reports from the community.
This policy explains how to report vulnerabilities privately and safely, without exposing users to risk.
If you discover a security issue, please report it privately via email:
krunixbase@gmail.com
Include the following information:
- clear description of the issue
- steps to reproduce
- affected version or commit
- potential impact
- proof‑of‑concept (if available)
We will acknowledge your report within 72 hours.
To protect users, we ask that you:
- do not publish the vulnerability before we release a fix
- do not open public GitHub issues
- do not share exploit details publicly
- do not contact developers directly outside the official channel
We follow a coordinated disclosure model:
- Researcher reports privately
- We investigate and confirm
- We develop and test a fix
- We release a patched version
- We publish a security advisory
- Researcher may publish details after patch release
- cryptographic correctness
- derivation logic (BIP32/39/44/49/84/86)
- Shamir Secret Sharing (SLIP‑39)
- entropy generation and validation
- memory handling and zeroization
- offline security boundaries
- supply‑chain vulnerabilities
- local privilege escalation within the app
These issues are environmental and cannot be mitigated by SeedTools:
- compromised operating systems
- hardware keyloggers
- malicious firmware
- BIOS/UEFI implants
- physical access attacks
- malware on the user’s device
The following are not considered vulnerabilities:
- feature requests
- UI/UX issues
- missing functionality
- weak user passwords
- user mistakes (wrong seed, wrong path, etc.)
- issues caused by malware on the user’s machine
- issues caused by modified or unofficial builds
We support good‑faith security research.
If you follow this policy:
- we will not pursue legal action
- we will not report you to authorities
- we will treat your research respectfully
- we will credit you (optional) in advisories
Actions performed outside this policy may violate law.
Our process:
- Triage — confirm severity and reproducibility
- Assessment — evaluate cryptographic and architectural impact
- Fix — patch, test, and verify
- Release — publish a secure update
- Advisory — publish CVE (if applicable)
- Credit — acknowledge the researcher (optional)
SeedTools is designed to minimize attack surface:
- no networking
- no telemetry
- no cloud
- no seed storage
- offline‑first
- deterministic core
However, no software can protect users on a compromised system.
We appreciate responsible researchers who help us keep SeedTools secure.