pawelorzech/FastMask
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
FastMask/SECURITY.md
Paweł Orzech 4a081300cb
Add templates, splash screen, and UI enhancements 
Introduces GitHub issue and PR templates, contributing and security documentation. Adds Android 12+ splash screen support, updates theming and status color handling, and improves MaskedEmail card/detail UI with shared transitions and accessibility. Updates dependencies for Compose and Material3, and enhances README with detailed setup and contribution instructions.
2026-01-31 02:04:54 +01:00

2.2 KiB
Raw Blame History

Security Policy

Reporting a Vulnerability

The FastMask team takes security seriously. We appreciate your efforts to responsibly disclose your findings.

How to Report

If you discover a security vulnerability, please report it by:

  1. Opening a private security advisory on GitHub:

    • Go to the Security tab
    • Click "New draft security advisory"
    • Provide details about the vulnerability

  2. Or emailing directly (if available in the repository owner's profile)

What to Include

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Suggested fix (if any)

Response Timeline

  • Acknowledgment: Within 48 hours
  • Initial assessment: Within 1 week
  • Resolution timeline: Depends on severity, typically 30-90 days

Security Measures in FastMask

Data Storage

  • API tokens are stored using Android's EncryptedSharedPreferences
  • Encryption uses AES-256-GCM for values and AES-256-SIV for keys
  • No sensitive data is stored in plain text

Network Security

  • All communication with Fastmail uses HTTPS/TLS
  • Certificate pinning is recommended for production builds
  • No data is sent to third-party servers

Privacy

  • No analytics or tracking
  • No data collection
  • Direct communication with Fastmail API only

Supported Versions

Version Supported
1.x

Best Practices for Users

  1. Protect your API token: Treat it like a password
  2. Use device security: Enable screen lock on your device
  3. Keep the app updated: Install updates for security fixes
  4. Review permissions: The app only requests necessary permissions

Scope

The following are in scope for security reports:

  • Authentication and authorization issues
  • Data leakage or exposure
  • Cryptographic weaknesses
  • API security issues

The following are out of scope:

  • Social engineering attacks
  • Physical attacks on user devices
  • Denial of service attacks
  • Issues in third-party dependencies (report to upstream)