Please use GitHub Security Advisories to report vulnerabilities privately.
Do NOT open a public issue or disclose the vulnerability before it has been addressed.
- Description of the vulnerability
- Steps to reproduce
- Affected component (credential storage, sync, intent handling, etc.)
- Potential impact
- Suggested fix (if any)
- Acknowledgment within a few days
- Assessment of severity
- Fix for confirmed vulnerabilities
- Coordinated disclosure once resolved — reporters credited in release notes unless they prefer anonymity
This security policy covers the KashCal Android application and this repository.
KashCal handles sensitive data including:
- Sync credentials — iCloud app-specific passwords, CalDAV server passwords, stored via Android Keystore (AES-256-GCM)
- Calendar data — Event titles, descriptions, locations
- Contact data — Birthday information from device contacts (when enabled)
- Network traffic — CalDAV sync over HTTPS
Out of scope:
- Third-party services (iCloud, CalDAV servers) — report to the respective projects
- Issues in dependencies — report to the respective projects
Security fixes are applied to the latest release only.
- Keep KashCal updated to the latest version
- Use strong, unique app-specific passwords for sync accounts
- Review calendar and contact permissions granted to the app