Security reports are in scope for:

• UltraLockedFormat parsing, encryption, decryption, and tamper handling.
• .ultralocked bundle format documentation.
• Test vectors, malformed bundle handling, and security documentation.

The commercial iOS app, App Store configuration, backend infrastructure, private deployment infrastructure, and unreleased features are outside this public repository.

Please report suspected vulnerabilities privately before opening a public issue.

Use one of these channels:

• GitHub private vulnerability reporting, if enabled on the repository.
• Email: security@ultralocked.com

Include:

• A concise description of the issue.
• Affected component and version or commit.
• Steps to reproduce.
• Impact and any required attacker capabilities.
• Proof-of-concept files only when safe to share.

We aim to acknowledge valid reports within 5 business days. Coordinated public disclosure should wait until a fix or mitigation is available, unless active exploitation changes the risk calculus.

Unless announced elsewhere in writing, this project does not currently operate a paid bug bounty program.