Please do not report security vulnerabilities through public GitHub issues.

Instead, please email us at: curet@vibrance.ltd

Include the following information:

• Type of vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive a response within 48 hours. We will work with you to understand and resolve the issue quickly.

nextdotenv uses industry-standard security practices:

• AES-256-GCM authenticated encryption
• PBKDF2 key derivation with 100,000 iterations
• Unique salt and IV generated for each backup
• Rate limiting on web interface (10 requests per minute)
• Zero external dependencies to minimize attack surface

When using nextdotenv:

1. Use strong passwords (minimum 8 characters, recommended 16+)
2. Never commit .env files to version control
3. Add .env to your .gitignore
4. Rotate passwords periodically using nextdotenv rotate
5. Verify encrypted files with nextdotenv verify after password changes