AliasVault takes security seriously and encourages responsible disclosure of security vulnerabilities.
We appreciate the work of security researchers and ethical hackers who help keep AliasVault and our users secure. If you believe you have discovered a security vulnerability in AliasVault, we encourage you to report it to us responsibly.
Please report security vulnerabilities to: security@support.aliasvault.net
For complete details on our security policy, vulnerability classification, threat model, and CVE assignment criteria, please refer to our full security policy:Security Policy (SECURITY.md)
We take responsible disclosure of security vulnerabilities seriously. Where applicable, we will:
To ensure the safety of our users and systems, please follow these guidelines:
This policy applies to AliasVault server, web client, browser extensions, mobile apps, and core cryptographic libraries. Third-party dependencies, device OS vulnerabilities, hardware compromise, and social engineering attacks are out of scope. See our full SECURITY.md for complete details.
This Hall of Fame consists of security researchers who have helped make AliasVault more secure by responsibly disclosing vulnerabilities in the past. We recognize and thank these researchers for their valuable contributions:
January 14, 2026
AliasVault Android versions 0.24.0 through 0.25.2 contained an issue in how passkey requests from Android apps were validated. Under certain local conditions, a malicious app could attempt to obtain a passkey response for a site it was not authorized to access.
September 19, 2025
Server-Side Request Forgery (SSRF) vulnerability in favicon extraction feature allowing internal network scanning and limited data exfiltration in AliasVault API versions ≤0.23.0