Security is paramount for ENV Storage Manager. We take the protection of your sensitive environment variables and API keys very seriously. This document outlines our security practices and how to report vulnerabilities.

• AES-256 Encryption: All stored secrets are encrypted using industry-standard AES-256 encryption
• Key Derivation: Master passwords are processed using PBKDF2 with SHA-256
• Salt Generation: Unique salts for each encryption operation
• No Plain Text Storage: Secrets are never stored in plain text

• Master Password: Never hardcoded or stored in plain text
• Memory Protection: Sensitive data cleared from memory after use
• Secure Deletion: Proper cleanup of temporary files
• No Logging: Secrets are never logged or printed

We release patches for security vulnerabilities for the following versions:

We appreciate responsible disclosure of security vulnerabilities. Please follow these guidelines:

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please report security issues via:

1. GitHub Security Advisories (Preferred)

   • Go to the Security tab
   • Click "Report a vulnerability"

2. Email (Alternative)

   • Send details to the repository maintainer
   • Use subject line: [SECURITY] Brief description

Please provide:

• Description: Clear description of the vulnerability
• Impact: Potential impact and severity
• Reproduction Steps: Detailed steps to reproduce the issue
• Proof of Concept: Code or commands demonstrating the vulnerability
• Suggested Fix: If you have ideas for fixing it
• Environment: OS, Python version, package versions

Subject: [SECURITY] Potential encryption key exposure in CLI output

Description:
When using the --debug flag, encryption keys may be exposed in console output.

Impact:
High - Could lead to unauthorized access to encrypted secrets

Steps to Reproduce:
1. Run: env-storage --debug export --project myapp
2. Observe console output contains encryption key

Environment:
- OS: macOS 14.0
- Python: 3.11.5
- ENV Storage: 1.0.0

Suggested Fix:
Sanitize debug output to exclude sensitive key material

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Fix Timeline: Depends on severity
  • Critical: 1-7 days
  • High: 7-30 days
  • Medium: 30-90 days
  • Low: Next release cycle

We use the following severity levels:

• Remote code execution
• Authentication bypass
• Encryption key exposure
• Mass data breach potential

• Local privilege escalation
• Sensitive data exposure
• Denial of service (persistent)

• Information disclosure (limited)
• Denial of service (temporary)
• Security misconfiguration

• Minor information leaks
• Best practice violations

We recognize security researchers who responsibly disclose vulnerabilities:

Be the first to help us improve security!

1. Strong Master Password

   • Use at least 16 characters
   • Include uppercase, lowercase, numbers, and symbols
   • Never reuse passwords from other services
   • Consider using a password manager

2. Protect Your Vault

   • Never commit your vault file to version control
   • Regularly backup your encrypted vault
   • Store backups securely (encrypted cloud storage)

3. Access Control

   • Limit file system permissions on vault files
   • Don't share your master password
   • Use separate vaults for different security contexts

4. Keep Updated

   • Regularly update to the latest version
   • Review release notes for security patches
   • Enable notifications for security advisories

5. Environment Security

   • Use the tool on trusted systems only
   • Be cautious of keyloggers and screen recording
   • Clear terminal history after sensitive operations

1. Code Review

   • All code changes require review
   • Security-sensitive changes need extra scrutiny
   • Use static analysis tools

2. Dependencies

   • Keep dependencies updated
   • Review dependency security advisories
   • Use only trusted packages

3. Testing

   • Write security-focused tests
   • Test edge cases and error conditions
   • Never commit test data with real secrets

4. Documentation

   • Document security implications
   • Update security docs with changes
   • Provide secure usage examples

The following are generally considered out of scope:

• Vulnerabilities in dependencies (report to the dependency maintainers)
• Social engineering attacks
• Physical access attacks
• Denial of service via resource exhaustion (without amplification)
• Issues requiring user to run malicious code
• Theoretical vulnerabilities without proof of concept

• OWASP Top 10
• CWE Top 25
• Python Security Best Practices
• Cryptography Library Docs

• We follow a 90-day disclosure timeline
• Security fixes are released as soon as possible
• CVE IDs are requested for confirmed vulnerabilities
• Public disclosure coordinated with reporter
• Credit given to reporters (unless anonymity requested)

Subscribe to security updates:

• Watch the repository for security advisories
• Check the Security Advisories page
• Follow release notes for security patches

For security-related questions (non-vulnerabilities):

• Open a Discussion
• Tag with security label

Thank you for helping keep ENV Storage Manager and our users safe! 🛡️

Last Updated: October 10, 2025