If you discover a security vulnerability in V3SP3R, please report it responsibly.

• Open a public GitHub issue for security vulnerabilities
• Post details in Discussions or social media before a fix is available

1. Email: Send a detailed report to the repository maintainers via GitHub's private vulnerability reporting
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if you have one)
3. Allow time: Give us reasonable time to investigate and release a fix before public disclosure (90 days is standard)

Vesper takes security seriously at every layer:

Every AI-initiated action is classified before execution:

• All LLM responses are validated before execution
• File paths are sanitized to prevent directory traversal
• JSON from AI models passes through repair and strict parsing
• BLE data is bounds-checked before processing

• API keys are stored in Android's EncryptedSharedPreferences
• Chat history is stored locally in an encrypted Room database
• No telemetry or analytics are collected
• No data is sent to third parties (except your chosen LLM provider via OpenRouter)

• Remote code execution
• Authentication/authorization bypass
• Data exfiltration or leakage of API keys
• Prompt injection leading to unauthorized Flipper actions
• BLE protocol vulnerabilities
• Path traversal or sandbox escape on the Flipper filesystem

• Social engineering attacks
• Physical access attacks (someone with your unlocked phone)
• Denial of service against OpenRouter or other third-party APIs
• Vulnerabilities in the Flipper Zero firmware itself (report those to Flipper Devices)
• Issues requiring root/jailbroken Android device

We appreciate security researchers who help keep Vesper safe. With your permission, we'll credit you in release notes when a reported vulnerability is fixed.