| Version | Support |
|---|---|
| 0.2.x | Yes |
| 0.1.x | Yes |
| < 0.1 | No |
LaCryptJS takes security seriously. If you discover a security vulnerability, please report it responsibly.
- Do not open a public issue for security vulnerabilities
- Send an email to the project maintainer with: lacryptjs@gabrielmasson.com.br
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment of receipt within 72 hours
- Initial assessment within 14 days
- Progress updates every 30 days
- Credit in the fix (if desired)
Relevant vulnerabilities include:
- Encryption bypass
- Key or sensitive data leakage
- Timing attacks
- Cryptographic weaknesses
- Issues in random number generation
- Attacks requiring physical access to the user's device
- Social engineering attacks
- Denial of service (DoS) in the browser
- Vulnerabilities in third-party dependencies (report to the relevant project)
- Encryption: AES-256-GCM (AEAD)
- Key Derivation: PBKDF2-SHA256 with 310,000 iterations
- Hash: SHA-256
- Randomness: Web Crypto API (crypto.getRandomValues)
- Use strong passwords (minimum 12 characters)
- Never store passwords in plain text
- Use the
hash()function to generate a unique key per user - Implement HTTPS in production
- Do not rely solely on client-side encryption for critical data
- Client-side encryption does not replace server-side security
- JavaScript can be manipulated in man-in-the-middle attacks without HTTPS
- Weak passwords compromise all security
- Decrypted data is exposed in browser memory
- Encrypted data cannot be searched on the backend
- Data cannot be recovered if the password(s) are forgotten/deleted
We follow coordinated disclosure practice:
- Vulnerability reported and confirmed
- Fix developed and tested
- New version released
- Public disclosure after update period (minimum 30 days)
We appreciate everyone who reports vulnerabilities responsibly.