Security

Security Policy

TermZ handles credentials, so we take security reports seriously. Here's how to reach us and what to expect.

TermZ is early-release (beta) software and has not undergone a formal third-party security audit. It is free to use and provided on an “AS IS” basis (see the Terms of Use). Please review the download page notice before relying on it for sensitive data.

Reporting a vulnerability

Please report suspected security issues privately — do not open a public issue or disclose details publicly until we've had a chance to investigate and ship a fix.

  • Email [email protected] with the subject “TermZ security report”.
  • Include: affected version/platform, a description of the issue, and clear steps to reproduce (a proof-of-concept helps).
  • If the report is sensitive, ask in your first message and we'll arrange an encrypted channel.

What to expect

  • We aim to acknowledge new reports within a few days. TermZ is maintained by a small team, so we can't commit to a strict SLA, but credible reports are prioritized.
  • We'll confirm the issue, keep you updated on remediation, and credit you in the changelog if you'd like (opt-in).
  • Fixes ship in a new release; see supported versions below.

Safe harbor

We support good-faith security research. If you make a genuine effort to comply with this policy, we will not pursue or support legal action against you for your research. In return, please:

  • Only test against your own installation and your own data.
  • Do not access, modify, or exfiltrate other people's data; do not run denial-of-service or spam tests.
  • Give us reasonable time to remediate before any public disclosure.

Scope

In scope: the TermZ desktop application, the official installers on dl.termz.app, and this website.

Out of scope: vulnerabilities in third-party dependencies (please report upstream), social-engineering or physical attacks, and issues that require a already-compromised device.

Supported versions

While TermZ is pre-1.0, only the latest release receives security fixes. Please update to the newest version (the app checks on launch) before reporting, and confirm the issue still reproduces there.

Our security model

A quick summary of how TermZ protects your data (see the documentation for detail):

  • Credential vault — secrets stored in a SQLCipher database encrypted at rest; key derived from your master password with Argon2id; sealed with ChaCha20-Poly1305 authenticated encryption. Plaintext secrets are never written to disk.
  • Host-key pinning (TOFU) — connections are hard-blocked on a host-key change, with an append-only audit log of trust decisions.
  • Output masking — rules to keep secrets out of session logs.
  • Cross-device sync — optional and end-to-end encrypted; you bring your own storage and the bucket only ever sees ciphertext. See the sync setup guide.
  • Signed releases — macOS builds are Developer ID signed and notarized by Apple; Windows builds are signed via Azure Trusted Signing.