|

Audit Status

SaladVault is a young and transparent project. We don't yet have a formal audit by a third-party firm, and we don't pretend otherwise. Here's where we stand:

Cryptographic Architecture

Here are the exact primitives and parameters used. Everything is verifiable in the source code.

What You Can Verify

The source code is fully public. Here's what you can audit yourself:

• The complete source code is on GitHub (AGPL-3.0): github.com/salad-vault
• All cryptographic operations are in src-tauri/src/crypto/ — no custom crypto, only audited libraries (chacha20poly1305, argon2, hkdf)
• Network calls are in src-tauri/src/sync/client.rs — you can verify only encrypted blobs are transmitted
• The local database contains only encrypted blobs — open saladvault.db with any SQLite client to verify
• Cryptographic material in memory is wiped after use via the zeroize crate — verifiable in src-tauri/src/crypto/keys.rs

Supply Chain Protection

Supply chain security is critical. Here are our measures:

• 100% Rust for the desktop app — no npm postinstall scripts in the binary
• CI actions pinned by SHA hash (immutable) — not by mutable tags
• cargo audit runs on every commit in CI
• Dependabot enabled on all 3 repositories (desktop, API, extension) — automatic CVE alerts
• Browser extension: ignore-scripts=true in .npmrc — blocks malicious install scripts
• Binaries signed with minisign (Ed25519) — automatic verification by the update system

Report a Vulnerability

If you discover a security vulnerability, please do not disclose it publicly. Use GitHub's Security Advisories system to contact us confidentially. We commit to responding within 48 hours.

Warrant Canary

A Warrant Canary is a regularly updated statement confirming the absence of secret government orders.