Fob is a security-focused project. We take vulnerabilities seriously and appreciate responsible disclosure.

Please do not open public issues for security vulnerabilities.

Instead, report them privately via GitHub Security Advisories:

1. Go to Security Advisories
2. Click "New draft security advisory"
3. Fill in the details and submit

We will respond within 72 hours and work with you to verify, fix, and disclose the issue responsibly.

• A clear description of the vulnerability
• Steps to reproduce (proof-of-concept if possible)
• Impact assessment (what data or operations are at risk)
• Suggested fix or mitigation (if you have one)

We consider vulnerabilities in the following in-scope:

• Cryptographic implementation errors (KDF, AEAD, key derivation)
• Memory safety issues (use-after-free, buffer overflows, information leaks)
• Vault format parsing vulnerabilities
• TOTP/SSH agent protocol implementation bugs
• Clipboard handling or auto-lock bypasses

Out of scope:

• Physical attacks on the USB device (intended threat model)
• Compromised host machines (keyloggers, screen capture)
• Social engineering or passphrase guessing
• Issues in third-party dependencies (report to upstream)

With your permission, we will credit you in the release notes and advisory once the fix is published.