The following versions of KeySafe are currently receiving security updates:

If you discover a security vulnerability in KeySafe, please report it responsibly:

1. Do not open a public GitHub issue for security vulnerabilities.
2. Report the vulnerability privately by opening a GitHub Security Advisory in this repository.
3. Include as much detail as possible: a description of the vulnerability, steps to reproduce, potential impact, and any suggested mitigations.

You can expect an acknowledgement within 48 hours and a status update within 7 days. If the vulnerability is accepted, a fix will be developed and a new release published. If it is declined, you will receive a brief explanation of the decision.

KeySafe is an API key management application. Please be aware of the following:

• Authentication: The current implementation uses a mock/client-side authentication flow. In production, this must be replaced with a real authentication provider (e.g., Firebase Auth) before handling real credentials.
• Key storage: API keys may be pasted into or created within the application and are currently held in client-side in-memory state only; they are not persisted to a backend or stored server-side in the current implementation. Treat any entered keys as sensitive secret material.
• Production hardening: Do not use real production API keys until the application has been hardened. Before deploying to production or handling real API keys, add server-side key storage with encryption at rest, proper access controls, and audit logging as described in the README.