| Version | Supported |
|---|---|
| 2.15.x | ✅ |
| 2.14.x | ✅ |
| < 2.14 | ❌ |
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
- DO NOT create a public GitHub issue for security vulnerabilities
- Email security concerns to: security@vasic.digital
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 7 days
- Resolution Timeline: Depends on severity
- Critical: 24-72 hours
- High: 1-2 weeks
- Medium: 2-4 weeks
- Low: Next release cycle
The following are in scope for security reports:
- Yole Android application
- Yole Desktop application
- Yole iOS application
- Yole Web application
- Shared KMP module
- Network protocol implementations
- File encryption functionality
- Credential storage
- Third-party dependencies (report to upstream)
- Social engineering attacks
- Physical attacks
- Denial of service attacks
- Encryption: AES-256 for file encryption
- Credentials: Platform-specific secure storage
- Android: EncryptedSharedPreferences
- Desktop: Java Preferences with encryption
- iOS: Keychain Services
- Web: Encrypted localStorage
- All cloud connections use HTTPS/TLS 1.2+
- Certificate pinning for cloud services
- No telemetry or data collection
- Offline-first architecture
The network protocol layer includes these resilience mechanisms to protect against cascading failures and resource exhaustion:
- CircuitBreaker (
network/common/CircuitBreaker.kt): Implements a CLOSED/OPEN/HALF_OPEN state machine with configurable failure threshold and reset timeout. Prevents repeated calls to failing services. - ConnectionLimiter (
network/common/ConnectionLimiter.kt): Semaphore-based concurrent connection limiting. Non-blocking design prevents resource exhaustion under high load. - DocumentCache (
format/DocumentCache.kt): LRU cache forParsedDocumentinstances with hit/miss tracking and configurable maximum size.
All catch blocks in all eight protocol service implementations (FTP, SFTP, SMB, WebDAV, Git, Dropbox, Google Drive, OneDrive) rethrow kotlin.coroutines.cancellation.CancellationException. This ensures that structured concurrency is never silently broken when a coroutine is cancelled, preventing coroutine leaks and hung operations.
API query strings sent to cloud providers (Google Drive, OneDrive, Dropbox) are sanitized before transmission:
- Single-quote escaping to prevent query injection in search and filter operations
- URL encoding for path and query parameters
- JSON escaping for request bodies containing user-supplied data
All protocol services that handle file paths use normalizePath() which resolves .. path segments and enforces root boundary constraints. This prevents directory traversal attacks that could access files outside the configured storage root.
Protocol services that maintain a serviceScope cancel it on reconnect and disconnect operations. This prevents coroutine leaks from orphaned background operations when connection state changes.
- Detekt: Static analysis configured in
config/detekt/detekt.ymlwith security-focused rules - Snyk: Dependency vulnerability scanning in CI/CD and Docker
- SonarQube: Code quality and security analysis (Docker-based local instance)
- CodeQL: GitHub-native static analysis for Java/Kotlin
- Gitleaks: Secret scanning across full git history
- OWASP Dependency-Check: Gradle plugin (version 11.1.1,
failBuildOnCVSS = 9.0f)
For detailed instructions on running security scans locally and in CI, see docs/SECURITY_SCANNING.md.
Before submitting code:
- No hardcoded credentials or API keys
- Input validation for all user data
- Proper error handling (no stack traces to users)
- Secure random number generation
- No SQL injection vulnerabilities
- No path traversal vulnerabilities
- Proper permission checks
- Memory-safe operations
We follow responsible disclosure:
- Reporter notifies us privately
- We acknowledge and investigate
- We develop and test a fix
- We release the fix
- We credit the reporter (if desired)
- Details published after 90 days or fix release
- Security Email: security@vasic.digital
- PGP Key: Available upon request