SECURITY

Security Policy v1.0 — March 2026

Last updated: March 29, 2026 Compliant with: EU Cyber Resilience Act (CRA) Regulation 2024/2847, EU Product Liability Directive 2024/2853, Romanian DNSC requirements, ENISA guidelines

This document describes SIBSTIL DOORS SRL's security commitments for the Typiq desktop application, our vulnerability disclosure process, and how we handle security incidents. It applies to all versions of Typiq.

1. Our Security Commitments

SIBSTIL DOORS SRL commits to the following security standards for Typiq:

Secure by design: The application uses contextIsolation and sandboxed rendering (Electron security best practices). nodeIntegration is disabled. All IPC communication uses contextBridge.
No unnecessary data collection: The application does not collect or transmit personal data during offline use.
Local data only: Progress data and settings are stored locally in the user's profile directory.
HTTPS only: All network communication from the application and website uses HTTPS with valid certificates.
Dependency management: We monitor third-party dependencies (Electron, Node.js packages) for known vulnerabilities using automated tools.
Security support period: Minimum 3 years from purchase date for Personal license holders.

2. Supported Versions

Version	Status	Security Updates
1.x (current)	✅ Active	Yes — full support
Future versions	To be announced	Yes

We strongly recommend always using the latest version of Typiq to benefit from the most recent security patches.

3. Vulnerability Disclosure Policy

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue in Typiq, please follow the process below.

Report a vulnerability: Email sibstil@gmail.com with subject line: [SECURITY] Typiq vulnerability report

Please include in your report:

Description of the vulnerability
Typiq version affected
Operating system and version
Steps to reproduce
Potential impact assessment (if known)
Your contact information (for follow-up)

4. Our Response Process

Timeline	Action
Within 48 hours	Acknowledge receipt of your report
Within 7 days	Initial assessment and severity classification
Within 30 days	Patch development and testing (critical vulnerabilities prioritized)
Within 45 days	Release of patched version and public disclosure (coordinated with reporter)

We ask that you:

Do not publicly disclose the vulnerability before we have released a patch (coordinated disclosure)
Do not exploit the vulnerability beyond what is necessary for proof of concept
Do not access or modify user data

We will not pursue legal action against researchers who act in good faith and follow this policy.

5. Security Incident Response (CRA Art. 14)

In accordance with the EU Cyber Resilience Act (Regulation 2024/2847) and applicable Romanian cybersecurity law:

Security incidents affecting Typiq will be reported to DNSC (Directoratul Național de Securitate Cibernetică) within 24 hours of discovery.
Affected users will be notified within 72 hours of a breach confirmed to affect their data, in accordance with GDPR Art. 33-34.
A detailed incident report will be provided within 30 days of the incident.

6. Known Security Considerations

Users should be aware of the following:

License file: The license file (license.json) is stored in your user profile directory. Do not manually modify this file. Unauthorized modification may result in license deactivation.
macOS Gatekeeper: On macOS, you may see a security warning on first launch. This is normal for applications not distributed through the Mac App Store. Go to System Preferences → Security & Privacy → Open Anyway.
Windows SmartScreen: Windows may show a SmartScreen warning. Click "More info" → "Run anyway." This occurs because the application is not yet code-signed with an EV certificate.
Internet connection: The application requires internet access only for license activation. Normal use is fully offline.

7. Third-Party Dependencies

Typiq uses the following major open-source components. We monitor these for security advisories:

Component	Purpose	Security Monitoring
Electron v33	Desktop application framework	GitHub Security Advisories
Node.js v22	Runtime	Node.js Security Releases
node-machine-id	Hardware fingerprint	npm audit

8. Contact

Security reports: sibstil@gmail.com
Subject line: [SECURITY] Typiq vulnerability report
SIBSTIL DOORS SRL, Sibiu, România

9. Updates to This Policy

This policy will be reviewed and updated at least annually, or following any significant security incident. The current version is always available at typiq-app.com/security.