VeilForms takes security seriously. As a privacy-first form management platform built on zero-trust principles, we welcome responsible disclosure of security vulnerabilities.
We currently support security updates for the following versions:
| Version | Supported |
|---|---|
| Latest | ✅ |
| < Latest | ❌ |
As VeilForms is actively developed, we recommend always using the latest version deployed at https://veilforms.com.
If you discover a security vulnerability, please follow these steps:
Please do not create public GitHub issues for security vulnerabilities. This helps protect our users while we work on a fix.
Send details to: security@veilforms.com
Include in your report:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Your suggested remediation (if any)
- Your contact information for follow-up
You can expect:
- Initial response: Within 48 hours
- Status update: Within 5 business days
- Resolution timeline: Depends on severity
- Critical: 1-7 days
- High: 7-14 days
- Medium: 14-30 days
- Low: 30-90 days
We believe in coordinated disclosure:
- We'll work with you to understand and validate the issue
- We'll develop and test a fix
- We'll deploy the fix to production
- We'll publicly acknowledge your contribution (if desired)
Typical disclosure timeline: 90 days from initial report.
Security issues in the following areas are in scope:
- Client-side encryption implementation
- Authentication and authorization
- Session management
- API endpoint security
- XSS, CSRF, and injection vulnerabilities
- Cryptographic vulnerabilities
- Privacy leaks or data exposure
- Authorization bypass
- Infrastructure security (Netlify deployment)
The following are generally out of scope:
- Social engineering attacks
- Denial of Service (DoS/DDoS) attacks
- Issues requiring physical access to a user's device
- Recently disclosed 0-day vulnerabilities (give us time to patch)
- Theoretical vulnerabilities without proof of concept
- Vulnerabilities in third-party services (report to them directly)
- Issues that require unlikely user interaction
- Rate limiting on non-critical endpoints
- Missing security headers that don't lead to a vulnerability
- SSL/TLS configuration issues (handled by Netlify)
VeilForms uses industry-standard encryption:
- RSA-2048 with OAEP padding for asymmetric encryption
- AES-256-GCM for symmetric encryption
- SHA-256 for hashing
- Web Crypto API for all cryptographic operations
See our Security Architecture page for detailed technical specifications.
- Client-side encryption: Data is encrypted before leaving the browser
- Zero-knowledge architecture: VeilForms servers never see unencrypted form data
- Key isolation: Each form has unique RSA key pairs
- Secure key storage: Private keys stored encrypted in browser localStorage
- HTTPS everywhere: All traffic encrypted in transit
- Security headers: CSP, HSTS, X-Frame-Options, etc.
We currently do not have a formal bug bounty program. However, we deeply appreciate security research and will publicly acknowledge security researchers who help make VeilForms more secure.
For sensitive communications, you can use our PGP key:
Currently not available - email security@veilforms.com for encrypted communication setup
Security updates will be announced via:
- GitHub releases
- Security advisories on GitHub
- Email to registered users (for critical issues)
- Our blog at https://veilforms.com/blog/
For general security questions that don't involve vulnerability disclosure, you can:
- Email: security@veilforms.com
- Review our Security Architecture documentation
- Open a discussion on GitHub (for non-sensitive topics)
We appreciate the security community's efforts. Reporters who responsibly disclose vulnerabilities will be acknowledged in:
- Our security hall of fame (coming soon)
- Release notes
- Public thank you (unless you prefer to remain anonymous)
Thank you for helping keep VeilForms and its users safe!