Security Advisories
& Hall of Fame
A permanent record of security notifications, resolved vulnerabilities, and the researchers who help keep Passary secure.
Uncompromising Transparency
At Passary, valid security research is not a threat—it is a vital component of our defense strategy. We operate with a security-first mindset that prioritizes protecting user data above reputation or convenience. Our local-first, zero-knowledge architecture ensures that we cannot access user data, but we rely on the global security community to help verify the integrity of the systems that surround it.
We are committed to full transparency regarding security issues. When vulnerabilities are confirmed, we fix them, we disclose them, and we credit the researchers effectively. We do not hide implementation errors; we fix them and learn from them publicly.
Coordinated Disclosure
We adhere to industry-standard coordinated disclosure practices to ensure user safety while respecting researcher contributions.
Rapid Acknowledgment
We acknowledge all security reports within 24–48 hours of receipt.
Thorough Assessment
Our security team provides an initial technical assessment and validity confirmation within 5 business days.
Public Disclosure
We target a 90-day disclosure window for fixed vulnerabilities, or sooner by mutual agreement.
Researcher Credit
We provide permanent, public credit in our advisories and Hall of Fame.
Security Bulletins
Direct access via origin IP address
Description
The Passary web application was accessible directly via its origin IP address instead of being restricted to the official domain (passary.com). This allowed the application to respond to HTTP and HTTPS requests addressed to the IP rather than enforcing hostname-based access control.
Impact
Direct IP access could allow attackers to interact with the application outside of the intended domain-based access path, increasing exposure to automated scanning and bypassing hostname-based security controls.
No user data was exposed, and the integrity of Passary’s encrypted, local-only vaults was not affected.
Remediation
- The web server configuration was updated to explicitly block all HTTP and HTTPS requests addressed to the origin IP or unknown hostnames.
- Only requests for the official Passary domain are now served. All direct IP requests are rejected at the web server layer.
Affected
Web Server Configuration, Application Infrastructure (HTTP/S entry point)
Root Cause
The web server configuration did not explicitly restrict incoming HTTP and HTTPS requests to the official domain hostname, allowing the application to be served when accessed directly via the origin IP address.
Credit
Hall of Fame
We gratefully acknowledge the following security researchers who have responsibly disclosed vulnerabilities to us. Their expertise and integrity have made Passary safer for everyone. Entries in this Hall of Fame are permanent.
| Researcher | Contribution | Year |
|---|---|---|
| Jay Mehta | Responsible disclosure of origin IP infrastructure exposure | 2025 |
Response Timeline
Severity Scale
Legal Safe Harbor
Passary considers security research conducted in good faith and in compliance with our Responsible Disclosure Policy to be authorized activity. We will not pursue legal action against researchers who:
- Conduct research without harming Passary users or services.
- Do not access, modify, or destroy user data.
- Test only against their own accounts.
- Adhere to disclosure timelines.
Historical Integrity
We believe that security history should never be rewritten. Published security advisories on this page are permanent records. We do not silently remove or alter advisories once published. Any material updates to an advisory will be clearly marked as revisions with timestamps.