Security

Security atShieldFive

How the cryptography works, where the program is today, and how to verify it yourself. The page to read first if you're a researcher, an auditor, or anyone trying to decide whether to trust the product.

Security at ShieldFive

This page is the public summary of how ShieldFive Labs handles security. It's the page to read first if you're a researcher, an auditor, or anyone trying to decide whether to trust the product.

How the cryptography works

ShieldFive encrypts every file in the browser before it leaves the device. The server only ever sees ciphertext. There is no plaintext key escrow, no shared master key, no backdoor — and no way for ShieldFive Labs to read your files.

The cryptography is implemented in a single open-source library, @shieldfive/crypto, Apache 2.0 licensed and published to npm. The library is the only crypto that runs in production. There is no parallel implementation.

The library ships:

  • Three production cipher suites: AES-256-GCM (suite 0x01), XChaCha20-Poly1305 (0x02), and a post-quantum hybrid combining ML-KEM-1024 with XChaCha20-Poly1305 (0x03).
  • A read-only legacy reader for the original v0 wire format, so files encrypted before the library existed remain readable.
  • A self-describing v1 wire format with AAD-bound chunks, documented in spec/format-v1.md.
  • HKDF-SHA-256 key derivation, Argon2id password hashing, deterministic ML-KEM-1024 keypair derivation from a user master secret.
  • A documented threat model at spec/threat-model.md stating what the design protects against and what it explicitly does not.

Where the program is today

Honest status, current as of the date below.

  • The crypto library is open-source and published. Apache 2.0, npm, GitHub. Anyone can clone, read, run the tests, and audit the spec without our involvement.
  • The library is at version 1.0.0-alpha.3. The "alpha" is a release-cadence choice — it describes when the library will tag 1.0.0 stable, which is gated on the external security audit. It does not describe the production stability of shieldfive.com itself, which has been running the library's cryptography in production since launch.
  • A public bug bounty program is live for the library. See /security/bug-bounty for scope, payouts, and reporting.
  • An internal security review is in progress. When complete, a summary will be published on this page with findings categorized by severity and remediation status.
  • An external security audit is deferred. Audits in this category cost between €15,000 and €60,000 depending on firm and scope. ShieldFive Labs is bootstrap-funded; the audit will be commissioned when product revenue makes it self-funding rather than a personal expense. The bug bounty program is the public review channel until then.
  • The web application is not yet open-source and not yet independently audited. It runs the open-source library for all cryptography, and standard web-app security practices (RLS-first schema, encrypted metadata, no plaintext keys server-side) apply. When the library audit is complete, the web application is the next audit target.

What happens if ShieldFive Labs disappears

A reasonable question to ask before you trust a small company with your files is what happens to those files if the company stops existing. The honest answer for ShieldFive is that a company shutdown does not compromise the confidentiality of your files, because the zero-knowledge architecture means your files were never readable by ShieldFive Labs in the first place. They are encrypted in the browser before leaving the device, and the keys live with you, not with us.

In a worst-case scenario where ShieldFive Labs is no longer here to operate the service, three things are needed to keep reading your files, and you already have or can get all three:

  • Your password and recovery key. These are what unlock your encryption keys. You have them. ShieldFive never sees them and has no way to derive them.
  • The encrypted blobs themselves. Files are stored as ciphertext at Backblaze B2 in the EU. There is a documented export path that lets you pull your full ciphertext archive at any time, before or after any company event. Your data is not trapped behind a control plane only ShieldFive can operate.
  • A working decryptor. The cryptography is open-source and the wire format is documented, so the @shieldfive/crypto library at the version your files were encrypted with will continue to decrypt them on any machine that can run npm. The code does not stop working when the company does.

This is not hypothetical reassurance. The same export path is the one used to let users leave ShieldFive at any time for any reason — your files belong to you, in a format you can move, regardless of whether ShieldFive Labs is still around to host them.

How to verify the cryptography yourself

If you are a developer or a security auditor, you do not have to take any of this on faith. The library is small enough to read in a sitting, and the wire format is small enough to implement from spec.

If you are a non-technical reader, you can skip this section. The short version is that any independent developer or security firm can verify the cryptography from the published code and specifications, and the bug bounty program pays them when they find something wrong.

For the technical reader, here's a starting checklist:


git clone https://github.com/shieldfive/crypto
cd crypto
pnpm install
pnpm test  # runs the test vectors and the parser fuzz harness
pnpm test:vectors  # regenerates and verifies deterministic vectors
cat spec/format-v1.md  # the on-disk format
cat spec/threat-model.md  # what the design does and doesn't protect against
cat spec/key-derivation.md  # KDF parameters and rationale

For a deeper look:

  • The combiner construction for the post-quantum hybrid suite is in src/suites/pq-hybrid-v1/. The HKDF input ordering and the domain-separation tags are the load-bearing pieces.
  • The identity and sharing module is in src/identity/. The re-encapsulation construction used for share-link recipients is the part most worth scrutinizing — it is non-standard.
  • The header parser and AAD construction are in src/format/. The invariant the parser enforces is documented in spec/format-v1.md.

If you find anything, the bug bounty program at /security/bug-bounty is the canonical channel for reports. Real findings on this surface are paid; the program is operated directly by ShieldFive Labs without a third-party platform.

What this page commits to

This page will be updated as the program advances. Specifically:

  • When the internal security review is complete, a findings summary will be added below.
  • When an external audit is commissioned, the firm and scope will be announced here.
  • When an audit report is delivered, the report PDF will be hosted on shieldfive.com (not on the auditor's site — auditor pages move, ours don't) and linked from this page.
  • When the library tags 1.0.0 stable, the alpha framing on this page will be removed.

The build-log at /build-log records the engineering work behind the program as it ships, with a post per phase milestone. Reading the build-log alongside this page is the most complete public picture of the program's state.

Last updated

Last updated: 2026-05-08.

For researchers

ShieldFive Labs operates this program directly. No third-party platform, no automated triage.