If you discover a security vulnerability in this project, please report it privately to the maintainer(s) instead of using the public issue tracker.
- Email: Contact the maintainer privately
- Subject: Include
[SECURITY]in email subject - Include:
- Detailed description of the vulnerability
- Steps to reproduce (if applicable)
- Potential impact and severity assessment
- Suggested fix (if you have one)
- Your name and contact information (optional)
- 48 hours - Acknowledgment of receipt
- 7 days - Initial assessment and plan
- 30 days - Fix development and testing
- Public disclosure - Coordinated after fix is released
This project implements the following security practices:
- OAuth2 authentication through Proton's official APIs
- No plaintext credentials stored locally
- Credentials managed via system keyring (XDG Secret Service)
- File index encryption: SQLite database with PBKDF2 (100k iterations)
- Local cache:
~/.cache/proton-drive/file_index.db(encrypted) - Configuration:
~/.config/proton-drive/(user-owned, restricted permissions)
- inotify-based monitoring for local file changes
- rclone integration with path validation
- Sync safety features: Conflict detection, delete protection
- All communication over HTTPS
- OAuth2 tokens handled securely
- No sensitive data logged in debug output
Only the latest released version receives security updates and fixes.
Older versions may not receive patches for newly discovered vulnerabilities. We recommend always updating to the latest version.
This project relies on Proton Drive's public API and rclone for synchronization. Security is limited by:
- Proton Drive API capabilities
- rclone's handling of credentials
- System keyring implementation
- Local index: Encrypted at rest (PBKDF2)
- Cloud files: Encrypted by Proton Drive (end-to-end)
- Credentials: Encrypted in system keyring
- Logs: NOT encrypted (may contain file paths)
For maximum security, we recommend:
- Using full-disk encryption (LUKS/BitLocker)
- Securing system keyring with strong password
- Reviewing log contents for sensitive information
- Using over a trusted network connection
- Keep Updated - Always use the latest version
- Protect Credentials - Use a strong, unique Proton account password
- System Security - Maintain up-to-date OS and dependencies
- File Permissions - Don't run the app with elevated privileges (sudo)
- Network - Use VPN for untrusted networks (if needed)
- Keyring - Lock system keyring when not in use
We follow responsible disclosure practices:
- Private Report - Vulnerabilities reported privately
- Verification - We verify and assess the issue
- Fix Development - We develop and test a fix
- Coordinated Release - We release fix publicly
- Credit - Reporter credited (unless they prefer anonymity)
For more information on security implementation, see FILE_INDEX_SECURITY.md.