Severity and payouts
| Severity | Examples | Payout |
|---|---|---|
| Critical | Plaintext recovery from ciphertext; recovery of a content key, master secret, or ML-KEM secret key; PQ-hybrid combiner falsification. | up to €1000 |
| High | Integrity bypass that returns mutated plaintext as if authentic; truncation/reorder/splice attacks not detected by the AEAD layer. | up to €500 |
| Medium | Implementation error that is exploitable but not catastrophic; KDF parameter weakness; spec-vs-implementation drift with security implications. | up to €250 |
| Low | Defense-in-depth issue, hardening recommendation. | swag/credit |
| Informational | Code quality, documentation, test coverage gap. | credit |
Response commitments
| Step | Commitment |
|---|---|
| Acknowledge receipt | within 72 hours |
| Initial triage reply | within 7 days |
| Critical patch target | 14 days |
| High patch target | 30 days |
| Medium patch target | 90 days |
| Low / informational | best effort |
ShieldFive Bug Bounty Program
ShieldFive Labs runs a public bug bounty program for the open-source
cryptography library that powers shieldfive.com:
@shieldfive/crypto.
We pay researchers who report security vulnerabilities in the library in good faith, under the rules below. The program is operated directly by ShieldFive Labs — there is no third-party platform between you and us.
If you are a customer trying to decide whether to trust ShieldFive with your files, this page is probably not what you're looking for. The customer-facing security overview lives at /security — it explains how the cryptography works, what happens to your files in worst-case scenarios, and the current status of the program. This page is the formal policy for researchers reporting vulnerabilities.
What's in scope
The following code and specifications, at the latest published version
of @shieldfive/crypto on npm, or any version still readable from a
production deployment of shieldfive.com:
- The four cipher suites:
aes-256-gcm-v1(suite 0x01),xchacha20-poly1305-v1(0x02),pq-hybrid-xchacha-mlkem1024-v1(0x03), and the read-only legacyaes-gcm-v0reader. - The v1 wire format as specified in
spec/format-v1.md. - The KDF wrapper in
src/kdf/argon2id.ts. - The HKDF-SHA-256 and HMAC-SHA-256 primitives in
src/internal/. - The identity and sharing module in
src/identity/. - The format header parser in
src/format/header.ts. - The threat model claims in
spec/threat-model.md— if you can falsify a specific claim from that document, we want to know.
What's out of scope
These are not eligible for bounty under this program. Reports of these will be acknowledged and read, but will not be paid.
- The shieldfive.com web application, infrastructure, or any service ShieldFive Labs operates other than the crypto library. The web application is not yet open-source and is not yet eligible for a public bounty; we plan to extend the program after the web application has been independently audited.
- Vulnerabilities in dependencies (
@noble/post-quantum,libsodium-wrappers-sumo, Node.js, browsers, V8, JSC, WebKit) — please report those upstream. - Theoretical attacks on the underlying primitives (AES, ChaCha20, ML-KEM-1024, SHA-256, Argon2id) at the construction level — these belong in the academic literature.
- Side-channel attacks against the underlying browser SubtleCrypto
runtime, the user's CPU microarchitecture, or libsodium's WASM
build. These are documented as out-of-scope in
spec/threat-model.md. - Vulnerabilities that require an attacker to already control the user's device (malware, malicious browser extensions, keyloggers).
- Denial-of-service against the public website or against npm registry endpoints.
Severity and payouts
Severity is determined by the impact described in
spec/threat-model.md,
not by CVSS in isolation. We will explain our severity assignment in
every reply.
- Critical (up to €1000) — Plaintext recovery from ciphertext; recovery of a content key, master secret, or ML-KEM secret key; PQ-hybrid combiner falsification.
- High (up to €500) — Integrity bypass that returns mutated plaintext as if authentic; truncation/reorder/splice attacks not detected by the AEAD layer.
- Medium (up to €250) — Implementation error that is exploitable but not catastrophic; KDF parameter weakness; spec-vs-implementation drift with security implications.
- Low (swag/credit) — Defense-in-depth issue, hardening recommendation.
- Informational (credit) — Code quality, documentation, test coverage gap.
The program operates with a quarterly budget cap of €3000. If reports in a quarter would exceed the cap, payouts for that quarter's lower-severity reports may be deferred to the next quarter; Critical and High severity payouts are honored regardless. The cap exists to keep the program within ShieldFive Labs' bootstrap budget; we will raise it as the product grows.
Response commitments
- Acknowledge receipt — within 72 hours.
- Initial triage reply — within 7 days.
- Critical patch target — 14 days.
- High patch target — 30 days.
- Medium patch target — 90 days.
- Low / informational — best effort.
These windows assume good-faith reporting per the rules in this document. ShieldFive Labs is a small team and these windows reflect realistic capacity, not aspiration. We will explain delays in writing if any commitment slips.
How to report
Send your report by email to security@shieldfive.com.
PGP key fingerprint to be published with the v1.0.0 stable release of
@shieldfive/crypto. Until then, please send reports in plaintext —
we will follow up over an encrypted channel of your choice (Signal,
PGP once published).
Please include:
- A description of the vulnerability and its security impact.
- Steps to reproduce, including a minimal proof-of-concept if possible.
- The exact library version under test (e.g.
1.0.0-alpha.3). - The runtime environment (Node version, browser, bundler).
- Whether the issue is already public or has been disclosed elsewhere.
- Your name and a way to contact you, or "anonymous" if you prefer.
Safe harbor
Security research conducted in accordance with this program's rules is authorized. ShieldFive Labs will not pursue civil claims or refer law enforcement investigations against researchers who:
- Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
- Do not access, modify, or exfiltrate data belonging to anyone other than themselves or research accounts.
- Report the vulnerability promptly through this program's channel.
- Do not exploit the vulnerability beyond what is necessary to confirm it.
- Do not publicly disclose the vulnerability before ShieldFive Labs has had a reasonable opportunity to remediate it (the timelines above).
If a third party initiates legal action against you for activities conducted under this program, we will make this authorization clear.
Disclosure
We default to a 90-day coordinated disclosure window from the date of report. We will move faster if there is active exploitation in the wild and slower if a coordinated multi-party fix is in progress. CVE registration happens for Critical and High severity findings.
After remediation, the finding is published in the program's public log on the build-log — with your credit if you've consented, anonymously if you prefer.
Acknowledgements
This list is populated as reports are remediated. Researchers are credited with their consent.
(No findings yet. Inaugural program — your name could be the first on this list.)
Last updated
The "last updated" date below reflects the most recent edit to this policy. Material changes are announced via the build-log and dated.
Last updated: 2026-05-08.