§ security
What we hold. What we cannot see.
OC Vault encrypts every item client-side under a vault key that never leaves your device. What OrangeCheck stores is ciphertext. A compromise of OrangeCheck infrastructure exposes encrypted blobs, not your secrets — that is the whole design.
§ what orangecheck holds
- >>the Bitcoin address you sign in with — already public on-chain
- >>for paid tiers: the Lightning invoice id, sats paid, tier, and entitlement expiry
- >>an opaque, double-encrypted blob — your synced vault, as ciphertext
- >>request metadata (IP, timestamps) for security and rate limiting, retained 90 days
§ what orangecheck cannot see
- ×the contents of any vault item
- ×the names, titles, or types of your items
- ×how many items you store or how often you open them
- ×your vault key or any recovery material — these never leave your device
!! the encryption design that prevents OrangeCheck from reading your data also prevents OrangeCheck from recovering it. If you lose your vault key and all recovery factors, your data is permanently unrecoverable. Keep your own backups of anything critical.
responsible disclosure
!! Don't open public GitHub issues for exploitable bugs. Public disclosure before a fix ships puts everyone using the protocol at risk.
Email security@ochk.io — use PGP for highly sensitive findings; the fingerprint and key are published at github.com/orangecheck/.github/SECURITY.md. Alternatively, open a private GitHub security advisory on the most relevant orangecheck/* repository.
- acknowledgementwithin 72 hours of receipt
- triagewithin 7 days — whether we agree it is a vulnerability, the severity assigned, and a target fix date
- coordinated disclosurewe credit you (unless you prefer anonymity) and publish an advisory once the fix ships
- bountyno paid bounty program yet — the ecosystem is young; we are grateful for responsible disclosure