Legal framework HEELONYS
Security policy
Responsible disclosure, security contact channel, and assurance principles applied to HeelonVault and services operated by HEELONYS.
Dedicated channel: for any vulnerability report, use security@heelonys.fr and avoid public disclosure before coordinated handling.
Scope: this page primarily covers HeelonVault, a local-first desktop secrets manager, and HEELONYS web services related to its commercialization.
1. General principles
HeelonVault is designed with a security-first approach, with special attention to protection of secrets at rest, strong authentication, reduction of accidental leakage, and traceability of sensitive actions.
- local-first architecture;
- modern encryption and password derivation: AES-256-GCM and Argon2id;
- operational safeguards: audit log, lock controls, TOTP 2FA, and secure exports.
2. How to report a vulnerability
Please send an email to security@heelonys.fr with subject format SECURITY-HeelonVault: short title.
Please include:
- affected version;
- test environment;
- reproduction steps;
- expected vs observed behavior;
- estimated impact;
- a proof of concept if available.
Please do not send cleartext secrets, full database dumps, or master passwords in your initial report.
3. Target handling timelines
- acknowledgement within 24h;
- initial triage and classification within 3 business days;
- status update at least every 7 days until closure.
| Priority | Exploitability | Impact | Operational target |
|---|---|---|---|
| P1 | Trivial or low-complexity exploitation | High impact on confidentiality, integrity, or availability | Target mitigation or fix within 7 days |
| P2 | Realistic exploitation with few prerequisites | Moderate to high impact | Target mitigation or fix within 14 days |
| P3 | Specific conditions or required user interaction | Limited to moderate impact | Planned fix within 30 days |
| P4 | Theoretical or hard-to-exploit scenario | Low impact | Handled in upcoming releases |
4. Coordinated disclosure
Vulnerabilities must be handled through coordinated disclosure. Unless legally required otherwise, no detailed publication should occur before a mitigation or acceptable fix is available.
5. License, trademarks, and authenticity
HeelonVault may be distributed under Apache 2.0 for its software part. The HEELONYS and HeelonVault trademarks remain exclusive property of HEELONYS.
The authenticity seal or equivalent mention reserved to official builds must not be displayed on modified versions, forks, or community builds not approved by HEELONYS.
6. Contact
Security reporting: security@heelonys.fr
General contact: contact@heelonys.fr
Company: HEELONYS - SAS-U - 40 rue de la tour d'Auvergne, 44200 NANTES, France
Last updated: 2 April 2026