Version 2.0 — © 2025 Sansyourways
Last Updated: January 2025
SPM (Sans Password Manager) is a privacy-focused, offline, fully client-side encrypted application.
This document contains the security policy for vulnerability reporting, responsible disclosure, and usage expectations.
SPM is designed around the following core principles:
- Offline-first — no servers, no cloud sync, no telemetry.
- Zero data collection — all vault data stays on the user's device.
- Strong encryption — GnuPG (OpenPGP) or AES-256-GCM protects all stored data.
- User-controlled keys — the user is the sole owner of all keys and passwords.
- No recovery mechanisms — master password or private key cannot be recovered by the developer.
SPM is intentionally built without remote dependencies to minimize risk.
Because SPM is distributed under a Private License, only the latest stable release is officially supported.
| Version | Status |
|---|---|
| Latest stable (current release) | Supported |
| Any modified, altered, or redistributed build | Not supported |
| Older versions | Not supported |
If you discover a potential security issue, follow these rules:
- Report it privately and directly.
- Provide steps to reproduce.
- Provide your environment details (OS, version, architecture).
- Wait for confirmation before sharing further details.
- Publicly disclose the vulnerability.
- Post the issue in GitHub issues.
- Share vaults, passwords, or private keys.
- Upload sensitive data for testing.
- Attempt to reverse engineer or bypass protections (violates license).
You will receive acknowledgment within a reasonable timeframe.
When reporting, attach:
- A clear description of the issue
- Steps to reproduce
- SPM version
- Your OS and setup
- Expected behavior vs actual behavior
- Logs only if safe (no sensitive data)
Do not send:
- Real vaults
- Real passwords
- Master password
- Private keys
- Screenshots containing sensitive entries
The following are considered in-scope for reporting:
- Encryption implementation bugs
- File corruption or integrity failures
- Web mode security concerns
- Local process access vulnerabilities
- Cryptographic misuse
- Privilege escalation inside SPM
- Bundle/backup handling vulnerabilities
The following are out of scope:
- Lost master passwords
- User-caused key loss
- Device compromise (malware/virus/root)
- Modified or tampered versions of SPM
- Vault recovery requests
- Cloud leakage (SPM never uploads data)
- Brute-forcing encrypted vaults
- Unofficial extensions or scripts
All valid security reports will be:
- Acknowledged
- Investigated privately
- Resolved in a future update where applicable
- Credited (if you wish)
- Kept confidential until fixed
Reports violating the Private License (reverse engineering, decompiling, etc.) may result in termination of your license.
Users are fully responsible for:
- Protecting their master password
- Storing backups securely
- Managing encryption keys
- Protecting their device from malware
- Securing their filesystem permissions
Because SPM does not collect data or hold keys, the developer cannot restore lost vaults.
Security issues: security@sansyourways.xyz
General support: support@sansyourways.xyz
Commercial licensing: business@sansyourways.xyz
© 2025 Sansyourways. All Rights Reserved.