vScan implements multiple layers of security to protect your credentials and data:
- AES-256-GCM encryption for all stored credentials (VBR, SSH, SMTP)
- Argon2id key derivation with OWASP-recommended parameters
- OS Keychain integration (macOS Keychain / Windows Credential Manager) for master key storage
- Sensitive data zeroization in memory after use
- Master password required on every launch
- Biometric unlock via Touch ID (macOS) or Windows Hello (Windows)
- Recovery key generated at setup for account recovery
- Brute force protection with progressive wait times (up to 5 minutes)
- Password blacklist checking against ~600 common breached passwords
- Auto-lock with configurable idle timeout (default 5 minutes)
- Lock on minimize and screen sleep options
- SSH host key verification (TOFU model) to prevent MITM attacks
- VBR certificate pinning (SHA-256 TOFU)
- Input sanitization and shell command injection prevention
- SQL parameterized queries throughout (zero injection surface)
- Content Security Policy with prototype freeze protection
- All data stored locally on your machine
- No telemetry, analytics, or external data collection
- Outbound connections limited to: VBR server, Linux scanner server, CISA KEV catalog (optional), SMTP (optional)
If you discover a security vulnerability, please report it responsibly:
- Do not create a public GitHub issue
- Email: security@24xsiempre.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
We will respond within 48 hours and work with you to resolve the issue.