If you discover a security vulnerability in the UnveilPass SDK, please report it responsibly.

Do NOT open a public GitHub issue.

Instead, email: support@unveiltech.com

Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will acknowledge your report within 48 hours and provide a timeline for a fix.

• All file encryption uses AES-256-GCM (client-side)
• Decryption keys are never sent to the server
• PINs are hashed with SHA-256 before transmission
• Agent credentials are one-time use with configurable TTL
• The SDK preserves UnveilPass's zero-knowledge architecture