Security & responsible disclosure

Last updated: June 2026

Our commitment

Privacy Guardian builds security-sensitive products — a zero-knowledge password manager and VPN services. We appreciate researchers and users who report issues responsibly so we can fix them before they are exploited.

For an overview of how encryption and client-side protection work today, see our security model.

Scope

We welcome reports that affect the confidentiality, integrity, or availability of:

  • Web properties: privacyguardian.co and the Privacy Guardian web application (account, vault sync, admin interfaces).
  • Browser extension: official Privacy Guardian extension distributed through our site or linked stores.
  • Mobile apps: Privacy Guardian VPN and related apps published under our brand.
  • VPN infrastructure: servers and APIs operated by Privacy Guardian for VPN connectivity and monitoring.

Out of scope

The following are generally not eligible for acknowledgment unless they demonstrate meaningful impact:

  • Denial-of-service attacks against production systems.
  • Social engineering, phishing, or physical attacks against staff or users.
  • Reports requiring physical access to a user's unlocked device.
  • Missing security headers or cookie flags without a demonstrated exploit.
  • Issues in third-party services we do not control (hosting panels, app stores, etc.).
  • Spam, rate-limiting bypass without security impact, or automated scanner output without validation.

Safe harbor

If you act in good faith — do not access data belonging to others, do not degrade service for other users, and give us reasonable time to remediate before public disclosure — we will not pursue legal action against you for your research activities within this policy.

Use only test accounts you own or accounts explicitly authorized for testing. Do not exfiltrate user vault data, credentials, or VPN session details beyond what is necessary to demonstrate the issue.

How to report

Email [email protected] with:

  • A clear description of the vulnerability and affected component.
  • Steps to reproduce, including URLs, app versions, and configuration if relevant.
  • Proof-of-concept code, screenshots, or logs (redact unrelated personal data).
  • Your preferred contact for follow-up.

Encrypt sensitive details if you wish; we can provide a PGP key on request. For account or privacy questions unrelated to security vulnerabilities, contact [email protected].

What to expect

  • Acknowledgment: We aim to confirm receipt within 3 business days.
  • Triage: We will assess severity and scope, and may ask for clarification.
  • Remediation: Critical issues are prioritized; timelines depend on complexity and deployment constraints.
  • Disclosure: Please allow at least 90 days before public disclosure unless we agree otherwise. We may credit researchers who wish to be named.

We do not currently operate a paid bug bounty program. Recognition is at our discretion based on report quality and impact.

Operational security notes

Admin access to operational dashboards is logged. VPN connection metadata used for capacity monitoring is retained for a limited period and automatically purged; see our Privacy Policy for details.