Security

Security Policy

TermZ handles credentials, so we take security reports seriously. Here's how to reach us and what to expect.

TermZ is early-release (beta) software and has not undergone a formal third-party security audit. It is provided under the Apache-2.0 License on an “AS IS” basis. Please review the download page notice before relying on it for sensitive data.

Reporting a vulnerability

Please report suspected security issues privately — do not open a public issue or disclose details publicly until we've had a chance to investigate and ship a fix.

  • Email admin@termz.app with the subject “TermZ security report”.
  • Include: affected version/platform, a description of the issue, and clear steps to reproduce (a proof-of-concept helps).
  • If the report is sensitive, ask in your first message and we'll arrange an encrypted channel.

What to expect

  • We aim to acknowledge new reports within a few days. TermZ is maintained by a small team, so we can't commit to a strict SLA, but credible reports are prioritized.
  • We'll confirm the issue, keep you updated on remediation, and credit you in the changelog if you'd like (opt-in).
  • Fixes ship in a new release; see supported versions below.

Safe harbor

We support good-faith security research. If you make a genuine effort to comply with this policy, we will not pursue or support legal action against you for your research. In return, please:

  • Only test against your own installation and your own data.
  • Do not access, modify, or exfiltrate other people's data; do not run denial-of-service or spam tests.
  • Give us reasonable time to remediate before any public disclosure.

Scope

In scope: the TermZ desktop application, the official installers on dl.termz.app, and this website.

Out of scope: vulnerabilities in third-party dependencies (please report upstream), social-engineering or physical attacks, and issues that require a already-compromised device.

Supported versions

While TermZ is pre-1.0, only the latest release receives security fixes. Please update to the newest version (the app checks on launch) before reporting, and confirm the issue still reproduces there.

Our security model

A quick summary of how TermZ protects your data (see the documentation for detail):

  • Credential vault — secrets stored in a SQLCipher database encrypted at rest; key derived from your master password with Argon2id; sealed with ChaCha20-Poly1305 authenticated encryption. Plaintext secrets are never written to disk.
  • Host-key pinning (TOFU) — connections are hard-blocked on a host-key change, with an append-only audit log of trust decisions.
  • Output masking — rules to keep secrets out of session logs.
  • Cross-device sync — optional and end-to-end encrypted; you bring your own storage and the bucket only ever sees ciphertext. See the sync setup guide.
  • Signed releases — macOS builds are Developer ID signed and notarized by Apple; Windows builds are signed via Azure Trusted Signing.