SeedTools Suite is designed for offline‑first, deterministic, and high‑security environments.
The application does not transmit, store, or sync sensitive data and is safe to use in air‑gapped systems.

This document describes:

• supported security guarantees
• known limitations
• responsible disclosure
• operational security recommendations

SeedTools follows a rolling‑release model.
Only the latest stable release receives:

• security patches
• cryptographic updates
• dependency updates

Older versions should not be used in production or regulated environments.

SeedTools provides the following guarantees:

• No networking — no API calls, no telemetry, no cloud
• No seed storage — mnemonics, seed hex, and keys never touch disk
• Deterministic execution — same input → same output
• Offline‑first architecture — safe for air‑gapped workflows
• No clipboard usage — eliminates clipboard hijacking
• Zero‑trust design — OS, hardware, and environment are not trusted
• Memory zeroization — sensitive data cleared where possible
• No offensive capabilities — cannot attack or brute‑force wallets

For a full threat analysis, see Threat Model.

SeedTools cannot protect against:

• compromised operating systems
• hardware keyloggers
• malicious firmware
• physical access attacks
• supply‑chain hardware implants

These risks require user‑side operational security.

For details, see Security FAQ.

If you discover a security issue, please report it privately.

Send an email to:

krunixbase@gmail.com

Include:

• description of the issue
• steps to reproduce
• affected version
• potential impact

We aim to respond within 72 hours.

• open public GitHub issues
• disclose vulnerabilities before coordinated release
• share exploit details publicly

SeedTools implements:

• BIP32
• BIP39
• BIP44 / BIP49 / BIP84 / BIP86
• SLIP‑44
• Shamir Secret Sharing (SLIP‑39)
• Taproot (BIP86)

Cryptographic correctness is validated through:

• deterministic test vectors
• entropy scoring
• polynomial validation
• hardened path enforcement

For details, see Cryptographic Threats.

To ensure maximum safety:

Avoid:

• infected systems
• shared computers
• cloud desktops
• remote sessions

SeedTools is designed for:

• cold wallets
• forensics
• regulated environments
• secure key generation

Always verify:

• checksums
• signatures
• release source

Avoid:

• screenshots
• notes apps
• cloud backups
• password managers

Weak seeds reduce security regardless of the tool.

SeedTools is built on four layers:

1. Input Controller — validates and normalizes user input
2. Deterministic Core — performs BIP derivations
3. Validation Layer — entropy scoring, Shamir checks, Taproot rules
4. Presentation Layer — offline rendering, no clipboard, no logs

For a full diagram, see DFD (Data Flow Diagram).

Even with SeedTools, the following risks remain:

• OS‑level compromise
• hardware implants
• malicious BIOS/UEFI
• physical theft
• user mistakes
• weak entropy

These are outside the scope of any offline cryptographic tool.

SeedTools is designed to be:

• safe
• deterministic
• offline
• transparent
• auditable

But security always depends on the environment.
A compromised system cannot be made safe by any application.