Security is the foundation of MyWorld. As a password manager, we understand that you're trusting us with your most sensitive data. We take this responsibility extremely seriously.
This document outlines our security practices and provides instructions for responsible vulnerability disclosure.
| Version | Status | Security Updates |
|---|---|---|
| 2.x.x | β Current | Active support |
| 1.x.x | Critical fixes only | |
| < 1.0 | β EOL | No support |
Recommendation: Always use the latest version to ensure you have the most recent security patches.
| Component | Technology | Details |
|---|---|---|
| Data Encryption | AES-256-GCM | Authenticated encryption for all stored data |
| Key Derivation | PBKDF2-SHA256 | 100,000+ iterations, unique salt per vault |
| Update Signatures | Ed25519 | Cryptographic verification of all updates |
| Hash Verification | SHA-256 | Integrity checking for downloaded files |
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β YOUR DEVICE β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β MYWORLD VAULT β β
β β βββββββββββββββ βββββββββββββββββββββββ β β
β β β Master Key βββββΆβ AES-256 Encrypted β β β
β β β (PBKDF2) β β Passwords β β β
β β βββββββββββββββ βββββββββββββββββββββββ β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β β
β β NO CLOUD β
β β NO SYNC β
β β NO TELEMETRY β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Feature | Description |
|---|---|
| π Zero-Knowledge | Master password never stored or transmitted |
| π§Ή Memory Protection | Sensitive data cleared from RAM after use |
| β±οΈ Auto-Lock | Automatic vault locking after inactivity |
| π Clipboard Guard | Auto-clear clipboard after copying passwords |
| π Signed Updates | Ed25519 signatures prevent tampered updates |
| π Offline-First | No internet required; no data leaves your device |
We appreciate the security research community's efforts in helping keep our users safe.
DO NOT open a public GitHub issue for security vulnerabilities.
Public disclosure before a fix is available puts users at risk.
Email: moner.intelligence@gmail.com
Subject Line: [SECURITY] Brief description
## Vulnerability Report
**Type:** [e.g., Encryption flaw, Authentication bypass, Data exposure]
**Severity:** [Critical / High / Medium / Low]
**Affected Version(s):** [e.g., 2.0.0]
**Description:**
[Clear description of the vulnerability]
**Steps to Reproduce:**
1. Step one
2. Step two
3. ...
**Impact:**
[What an attacker could achieve]
**Proof of Concept:**
[Code, screenshots, or video if available]
**Suggested Fix:**
[Optional - your recommendations]| Stage | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial Assessment | Within 7 days |
| Status Updates | Every 7 days during investigation |
| Resolution | Based on severity (critical: ASAP) |
| Disclosure | Coordinated with researcher |
We consider security research conducted in accordance with this policy to be:
- β Authorized and lawful
- β Helpful to the security of our users
- β Conducted in good faith
- Report vulnerabilities in good faith
- Avoid privacy violations and data destruction
- Do not exploit vulnerabilities beyond proof of concept
- Allow reasonable time for fixes before disclosure
- Do not use findings for personal gain or malicious purposes
| Practice | Why It Matters |
|---|---|
| π Strong Master Password | Use 16+ characters, mix of types, unique to MyWorld |
| π Keep Updated | Updates include critical security patches |
| πΎ Secure Backups | Encrypt backup files, store in safe location |
| π Lock When Away | Use auto-lock or manually lock when leaving |
| β Verify Downloads | Only download from official GitHub releases |
| π« Never Share | Never share your master password with anyone |
β Weak: password123
β Medium: MyP@ssw0rd!
β
Strong: correct-horse-battery-staple-42!
β
Best: [Generated 20+ character random password]
| Purpose | Contact |
|---|---|
| π Security Reports | moner.intelligence@gmail.com |
| π Bug Reports | GitHub Issues |
| π¬ General Questions | GitHub Discussions |
Thank you for helping keep MyWorld users safe.