Security Policy
LifeHandler stores highly sensitive personal data (identity documents, IBAN, bank accounts…) under a zero-knowledge encryption scheme. We take security reports seriously and appreciate responsible disclosure.
Reporting a vulnerability
Do not open a public GitHub issue for security vulnerabilities.
Send a private report to security@lifehandler.fr with the
subject line [security] <short description>. Include:
- A description of the issue and its potential impact.
- Steps to reproduce (proof of concept, screenshots, request/response pairs, etc.).
- Your name or handle if you want public credit after the fix ships, or an explicit request to remain anonymous.
You will get an acknowledgement within 72 hours.
PGP key: not currently published. If you need encrypted communication, send an unencrypted first contact asking for an out-of-band channel.
Scope
In scope:
- The web application at the production domain.
- The mobile application (Expo).
- The MCP server (
https://*.functions.fnc.fr-par.scw.cloud). - MCP server authentication (signed Supabase JWT verified via
supabase.auth.getUser()— rawBearer <user-id>is rejected). - The public API routes under
/api/. - The client-side encryption code (AES-256-GCM + Argon2id).
- The hardcoded sensitive-keys runtime gate
(
src/lib/sensitive-keys.ts) that prevents hyper-sensitive fields (SSN, IBAN, ID/passport numbers, card data, passwords…) from ever being transmitted to the AI agent. - The 3-tier data-sensitivity model that governs both UI rendering
and agent access:
- Tier 1 (e.g. marital status, contract type) — visible by default, agent may request the value with user consent.
- Tier 2 (e.g. email, postal address) — masked by default, eye toggle to reveal; agent is prompt-forbidden from requesting them and may only see them if the user proactively pastes the value into the chat.
- Tier 3 (e.g. NIR, IBAN, ID/passport numbers) — masked + strong-auth-gated reveal; agent can never access these (hard-coded ABSOLUTE_BLOCKED runtime gate, no override). Full model documented in PRIVACY.md §4 and on the project Notion (Page 05 "Crypto zéro-knowledge").
Out of scope:
- Issues reproducible only with browser extensions, malware, or physical access to an unlocked device.
- Denial-of-service through brute volume.
- Social engineering of the maintainer.
- Reports against third-party services (Supabase, Vercel, Scaleway, Anthropic) — please report those directly to the vendor.
Severity & response timeline
| Severity | Examples | Acknowledgement | Fix target |
|---|---|---|---|
| Critical | Auth bypass, account takeover, master-key leak, RCE | ≤ 72h | ≤ 7 days |
| High | Stored XSS reaching another user, privilege escalation | ≤ 72h | ≤ 14 days |
| Medium | Reflected XSS, CSRF on sensitive action | ≤ 72h | ≤ 30 days |
| Low | Information disclosure without PII, missing security header | ≤ 7d | best-effort |
Hall of fame
We will publicly credit researchers who report valid vulnerabilities, once a fix has shipped and the user has had time to update.
(Empty for now — be the first.)
What we promise
- We will not pursue legal action against you for security research conducted in good faith on the scope above.
- We will keep you informed of the fix progress.
- We will not disclose your identity without your consent.
- We will publish a post-mortem for any user-affecting incident.
Compliance
In case of a data breach affecting users, LifeHandler commits to notifying the CNIL within 72 hours (RGPD Art. 33) and informing affected users without undue delay if the risk is high (Art. 34).