Security

Found a hole? Tell us.

Myne's whole pitch is that you can verify it rather than trust it — so we want to hear when something is wrong. This first iteration is acknowledgment-only: we credit researchers who report responsibly. There is no monetary bounty yet.

Preferred

GitHub security advisory

Report privately through GitHub's coordinated-disclosure flow — it stays confidential until a fix ships.

github.com/myne-md/myne · Security → Report →

Or email

security@myne.md

For anything that doesn't fit a GitHub advisory. Encrypt if you can; include steps to reproduce and the affected version.

/.well-known/security.txt

In scope

The desktop client (editor, vault, key handling)
The protocol spec and the cryptographic implementation
The sync server, once it ships (Phase 2)
The build & release pipeline, signed builds, the auto-updater
This website and the /.well-known/security.txt it serves

Out of scope

Theoretical attacks already documented in the threat model (A7 active malware, A10 nation-state, A12 coercion)
Lost-password / lost-recovery-phrase data loss — by design, there is no reset
Best-practice nags without a concrete, reproducible impact

What to expect

Coordinated, credited, and honest about limits.

We acknowledge reports as fast as a two-person team can, work a fix under coordinated disclosure, and credit you in the release notes unless you'd rather stay anonymous. Where the threat model already says we don't defend something — active malware, a nation-state adversary, coercion — we'll say so plainly rather than pretend otherwise. The protocol spec and threat model are the contract.