This policy applies to the Invoult repository and its first-party services:
- Laravel API (
app/) - Frontend (
frontend/) - Python worker (
python-worker/) - Extension loading/runtime (
extensions/)
Please do not open public issues for security vulnerabilities.
Instead, report privately to the maintainers with:
- Vulnerability type and affected component
- Reproduction steps
- Expected impact
- Suggested mitigation (if any)
If direct private channels are not available, open an issue requesting a private security contact and avoid disclosing exploit details.
Invoult handles user documents and secrets, so priority classes include:
- Authentication and token/session handling flaws
- Authorization and ownership bypasses
- File encryption/decryption weaknesses
- Public share link bypasses (password, expiry, access-limit, delivery mode)
- Sensitive data leakage in logs/responses
- Extension permission and route-gating bypasses
- Backup/recovery abuse or restore bypasses
- Never commit secrets (
.env, credentials, private tokens, keys) - Keep dependencies up to date for Laravel/Node/Python stacks
- Use HTTPS for public deployments
- Rotate OAuth and worker secrets if exposure is suspected
- Restrict tunnel/public endpoints to required exposure only