Security — Kragworks

Kragworks security@kragworks.net

Responsible Disclosure

If you have discovered a security vulnerability in SovereignShield or any Kragworks product, please report it to security@kragworks.net. We respond within 48 hours, acknowledge valid reports, and work to patch confirmed vulnerabilities within 90 days.

Our Security Architecture

SovereignShield is designed with a minimal attack surface. Because we collect almost no user data, the consequences of a Kragworks infrastructure breach are limited to subscription metadata — not usage data, not location, not traffic contents.

Local-only processing

All traffic inspection and data substitution happens on your device. Data never transits Kragworks infrastructure.

No user database

We store no user accounts, passwords, or personal data. There is no Kragworks database to breach for user data.

Apple-managed payments

All billing processed by Apple. Kragworks never receives or stores payment card data.

App Group isolation

Data shared between the app and VPN tunnel uses iOS App Group sandboxing — inaccessible to other apps.

Open source components

Where we use open source dependencies, we track CVEs and update promptly. Dependency manifest available on request.

Encrypted communications

All communications between app components and Kragworks services use TLS 1.3. HSTS enforced on all web properties.

Vulnerability Disclosure Process

Email security@kragworks.net with a description of the vulnerability
Include steps to reproduce, affected versions, and potential impact
We acknowledge receipt within 48 hours
We investigate and confirm within 10 business days
We patch confirmed vulnerabilities and notify you when resolved
We credit researchers in release notes unless anonymity is requested

Scope

In scope for vulnerability reports: SovereignShield iOS app, Kragworks.net website, SovereignShield daemon software, Node hardware firmware.

Out of scope: Social engineering attacks, physical attacks on hardware, vulnerabilities in Apple's iOS or App Store infrastructure, issues requiring physical device access that the user has not granted.

What We Ask

We ask that researchers act in good faith: do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability; do not perform denial-of-service testing; do not disclose publicly before we have had a reasonable opportunity to patch.

Contact

security@kragworks.net — for security disclosures only.
privacy@kragworks.net — for privacy inquiries.

Security & Disclosure

Our Security Architecture

Vulnerability Disclosure Process

Scope

What We Ask

Contact

Which SovereignShield
is right for you?

Security & Disclosure

Our Security Architecture

Vulnerability Disclosure Process

Scope

What We Ask

Contact

Which SovereignShieldis right for you?

Which SovereignShield
is right for you?