Security Policy

Effective March 2026 · JC Laboratories / jclabs.tech

    JC Laboratories is a security-focused company. We take vulnerability reports seriously and commit to working with the security community in good faith.
  

1. Responsible Disclosure

If you discover a security vulnerability in any JC Laboratories product or service — including Aleph Vault, Gaffer, the JC Labs Community, or jclabs.tech — we ask that you report it to us privately before public disclosure. This gives us time to investigate and remediate before the vulnerability is exploited.

Please send vulnerability reports to: security@jclabs.tech

Include in your report:

A description of the vulnerability and its potential impact
Steps to reproduce (proof-of-concept code or screenshots if applicable)
The affected product, version, or URL
Your contact information (optional — anonymous reports accepted)

2. Our Commitments to Researchers

Acknowledgment: We will acknowledge receipt of your report within 72 hours
Communication: We will keep you informed of our investigation progress
Timeline: We target remediation within 90 days of confirmation. We will notify you if we need more time and explain why
No legal action: We will not pursue legal action against security researchers who act in good faith and follow this policy
Credit: We will credit you in our disclosure communications if you wish to be identified
No bounties: JC Laboratories does not currently offer monetary bug bounties. We offer acknowledgment and our genuine gratitude

3. Scope

    In scope: Aleph Vault Android app, jclabs.tech website and community features, ai.jclabs.tech (Gaffer), JC Laboratories APIs, and Firebase infrastructure we control.
  

Out of scope:

Third-party services we use (Firebase, Stripe, Cloudflare, Google Cloud, OpenAI, Anthropic, Groq) — report these directly to the respective vendor
Denial of service attacks
Social engineering of JC Laboratories staff
Physical security attacks
Automated scanning that degrades service quality
Theoretical vulnerabilities without a working proof of concept
Previously reported and known issues

4. Rules of Engagement

To qualify for good-faith protection, researchers must:

Not access, modify, delete, or exfiltrate user data beyond what is minimally necessary to demonstrate the vulnerability
Not perform actions that could impact service availability for other users
Not use the vulnerability for personal gain beyond demonstrating it to us
Not disclose the vulnerability publicly until we have had 90 days to remediate, or we have agreed on a disclosure timeline
Report only vulnerabilities they have personally discovered

5. Cryptography and Known Limitations

JC Laboratories implements the following cryptographic standards in Aleph Vault:

AES-256-GCM — symmetric encryption for vault contents
X25519 — ECDH key agreement for MessageCrypt
Ed25519 — digital signatures for message integrity
PBKDF2-SHA256 (310,000 iterations) — password-based key derivation
Shamir's Secret Sharing — Enterprise Recovery key splitting

We implement these using the Dart cryptography package. We make no warranty that our implementations are free from unknown vulnerabilities. If you discover a cryptographic implementation flaw, please report it under this policy.

6. DMCA Agent

For copyright infringement notices under 17 U.S.C. § 512, contact our designated agent:

Agent: Justin Czap
Email: dmca@jclabs.tech
Address: JC Laboratories, Michigan, United States

7. PGP Verification

For sensitive security reports, you may request our PGP public key by emailing security@jclabs.tech. We will provide it in our response.

8. Contact

Security: security@jclabs.tech
DMCA: dmca@jclabs.tech
General: contact@jclabs.tech