keyfount
Back to home

Security & disclosure

Last updated · 2026-05-26

Keyfount is a security-sensitive tool. This page describes the threat model the Service is designed for, the cryptographic construction it relies on, the coordinated-disclosure process for reporting a vulnerability and the integrity guarantees attached to published releases.

1. Scope

This policy covers every component published under the Keyfount Project: the browser extension, the desktop application (macOS, Windows, Linux), the mobile applications (iOS, Android), the website at keyfount.github.io and the optional self-hostable sync server.

2. Threat model — what the Service protects against

  • Vault leaks. There is no vault. Derived passwords are computed on demand and never persisted.
  • Sync-service compromise. By default the Service performs no synchronisation. When the optional self-hosted sync server is used, authentication relies on OPAQUE (RFC 9807) and all stored values are opaque ciphertexts: a complete database dump leaks nothing that an attacker can use to recover the master offline.
  • Network observers. The browser extension and the desktop and mobile applications perform no outbound network call by default. The website performs no request after the initial page load.
  • Password reuse across sites. Derived passwords are unique per site by construction; a leak from one site cannot be replayed against another.
  • Server compromise of a self-hosted sync deployment. Even an attacker with full read/write access to the database cannot learn the master password, the site domains, the account identifiers or the derivation profiles, which are encrypted client-side before transmission.

3. What the Service does not protect against

  • A compromised device. A keylogger or malware running with your user rights can read your master password while you type it. Keep your operating system, browser and security patches up to date.
  • A weak master password. An attacker who recovers a derived password from a breached site, and who already knows the email and the domain used at that site, can attempt to recover the master offline. Argon2id raises the cost substantially, but a short or common master is still recoverable. Choose a master password that is long, unique and not derived from public information about you.
  • Phishing. The extension fills the password field of the active tab, including on look-alike domains. Verify the URL bar before filling.
  • Shoulder-surfing and physical access. The Service offers an auto-lock timer and an optional encrypted hint, but it cannot defend against an attacker with sustained physical access to an unlocked device.
  • Operator compromise of a self-hosted sync deployment. Confidentiality of the synchronised metadata against a malicious server operator depends on the integrity of the client at the time it is run. Use only client builds you trust.

4. Cryptographic construction

Password derivation uses Argon2id (RFC 9106), the memory-hard function recommended by OWASP for password hashing. Parameters: 3 iterations, 64 MiB of memory, parallelism 1, 32-byte output. The salt is built from the registrable site domain, the account identifier used at that site and a per-site counter. The output is shaped into a password matching the per-site profile.

Local secrets stored at rest (the optional encrypted master-password hint and, where applicable, the local account index) are encrypted with AES-256-GCM under a wrapping key derived from your master password using PBKDF2-SHA-256. Authentication to the optional self-hosted sync server uses OPAQUE, an asymmetric password-authenticated key-exchange protocol.

5. Release integrity

  • Tagged releases. Every published release corresponds to a Git tag in the public repository.
  • Reproducible builds. The bundle published to each distribution channel is built from the corresponding tag. You can check out the tag, run the documented build command and compare the resulting bundle against the one shipped by the channel.
  • Signed container images. Server container images are published to GitHub Container Registry from the Project's automated CI; the image digest is reproducible from the published sources.

6. Reporting a vulnerability

If you believe you have found a security vulnerability in any Project component, the website, the cryptographic construction or the build pipeline, please report it privately rather than opening a public issue.

  • Preferred channel. GitHub's private vulnerability reporting: github.com/Keyfount/extension/security/advisories/new, or the equivalent advisory page on any other Keyfount repository.
  • Alternative channel. Email security-keyfount@loule.me.
  • What to include. A clear description of the issue, reproduction steps, the affected version (visible in the "About" panel of the application), an assessment of impact and any suggested mitigation.

7. Our commitments

  • We acknowledge new reports within 72 hours.
  • We provide an initial triage and severity assessment within 7 days.
  • We aim to publish a fix within 90 days of confirmation, with earlier targets for critical issues.
  • We coordinate disclosure with the reporter and credit them in the release notes and the security advisory, unless they prefer to remain anonymous.
  • We will not take legal action against good-faith security researchers who follow this coordinated-disclosure process and who do not access, modify or destroy data belonging to other users.

8. Out of scope

  • Findings that require an already-compromised device, root or administrator privileges, or a malicious browser extension running alongside the Service.
  • Reports that consist solely of automated-scanner output without a demonstrated security impact.
  • Vulnerabilities in third-party services (browser stores, hosting providers, dependencies maintained by other projects) — please report those to the relevant maintainer.
  • The security posture of any self-hosted sync server deployment, which is the responsibility of its operator.

9. Public advisories

Confirmed vulnerabilities are documented in GitHub Security Advisories on the affected repository, with a CVE assigned where appropriate. Subscribe to repository releases to be notified of new advisories.