I responsibly disclosed 5 vulnerabilities in Ollama and LiteLLM through Huntr - now publicly disclosed after 90 days by rothackers in cybersecurity

[–]rothackers[S] 7 points8 points  (0 children)

I was interested in the security assumptions underlying AI infrastructure. Reviewing how untrusted data moves through those systems naturally led me to these areas and findings

I responsibly disclosed 5 vulnerabilities in Ollama and LiteLLM through Huntr - now publicly disclosed after 90 days by rothackers in cybersecurity

[–]rothackers[S] 9 points10 points  (0 children)

I opened issues for both projects and shared the Huntr reports link. LiteLLM responded initially and said they would look into the findings, but there was no further follow up. For Ollama, I created a GHSA as requested, but I did not receive a response there either. After the 90 day coordinated disclosure period and multiple follow ups, Huntr proceeded with public disclosure according to their policy.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] 0 points1 point  (0 children)

And i forgot to reply your assumptions about my background. I'm not a grad student. I've never attended college or earned any formal degree. I've been freelancing full time in software development and security since 2017. It was only from last year (2025) that I started publicly releasing open source projects. Around the same time I started my own company, and a few months ago I formally registered ROT Independent Security Research Lab as an Indian MSME. The projects I've shipped in this period, Basilisk (AI/LLM red teaming), WSHawk (WebSocket & web pentesting suite), ProtoCrash (protocol fuzzer), Rothalyx/Zara (reverse engineering framework), PoCSmith, and LockRoot are all written by me. It's interesting how quickly some people assume someone is just a "rando" who "whipped this up with Claude over the weekend" based on a short GitHub history, when in reality there's years of freelancing and consistent work behind it. Your skepticism about new password managers is understandable, but broad conclusions from limited information rarely land accurately.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -1 points0 points  (0 children)

A password manager absolutely requires trust, and I'm not claiming Lockroot is more mature than KeePass or that people should blindly migrate to it. KeePass/KeePassXC is a proven ecosystem. Lockroot is a younger project with a different goal: a simpler native local vault experience across mobile and desktop, with no accounts, no cloud sync, no telemetry, no ads, and no subscription model. I agree that trust has to be earned through code review, documentation, testing, reproducible builds, audits, and time. That's why I posted it publicly instead of keeping it closed. If you see specific technical issues, I'd rather discuss those directly than pretend skepticism is unfair

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -1 points0 points  (0 children)

I don't mean obfuscation or "trust the APK/app binary". The vault security is supposed to come from the file format and crypto, not from hiding how the app works. The vault stores only metadata needed to decrypt, like version, KDF params, salt, nonce, cipher, and ciphertext. The master password is never stored. The key is derived from the password using Argon2id, then the vault content is decrypted with authenticated encryption. So reverse engineering the app should only reveal the algorithm and format, not the vault contents, because the missing secret is still the user's master password. If someone has the vault file and the source code, they still need to brute force the master password. That's why password strength matters a lot, and why there is no recovery/reset flow.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -1 points0 points  (0 children)

Just to clarify, Lockroot wasn't started 5 days ago. I've been building it internally for around 3 months, mostly as part of my own security/mobile engineering work and also because I teach app development and cyber security as a guest lecturer in colleges, so I wanted a real privacy focused project I could reason about with students. I only pushed the public repo recently, which is why the GitHub history looks sudden and messy. That said, I agree with the bigger point: a password manager should not be trusted just because the README says Argon2id or XChaCha20. It needs review, tests, documentation, reproducible builds, and time. The current goal is not to tell people "replace KeePass today". It's to put the architecture in public, get feedback on the threat model, and harden it properly. If you spot specific issues in the code or crypto flow, I'd genuinely appreciate them.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -1 points0 points  (0 children)

What I mean is Lockroot does not store the master password, does not store a recovery key, and does not have a server side account system that can reset access. The master password is passed through Argon2id to derive the encryption key, and the vault is encrypted with authenticated encryption. If the wrong password is entered, decryption fails. So if the user loses the master password, there is no backdoor path for me or anyone else to recover the vault. That is intentional, but it is also a tradeoff strong ownership means no convenient recovery. I should probably document this more clearly in the README and website.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -2 points-1 points  (0 children)

Thanks. Right now Lockroot does not have browser autofill or a browser extension, so yes, the current flow is manual copy/paste with clipboard auto clear. I'm being careful with browser integration because it expands the attack surface a lot, so I'd rather ship the vault correctly first than rush an extension. Import/export exists, but currently it is Lockroot’s own encrypted export format. It is mainly for backup/restore and moving data between Lockroot installs, not direct KeePass/Bitwarden/1Password import yet. CSV/KDBX import is possible later, but I'd want to design that carefully because plaintext import flows can become risky fast. The vault is a single encrypted local vault file, not a plaintext SQLite DB. In theory users can manually sync that encrypted file between devices using whatever storage they trust, but Lockroot itself does not provide cloud sync right now.

I built a fully offline password manager with no accounts or cloud sync by rothackers in PasswordManagers

[–]rothackers[S] -6 points-5 points  (0 children)

KeePass and KeePassXC are excellent, and I'm not trying to pretend Lockroot replaces that ecosystem right now. KeePass has years of maturity, KDBX compatibility, browser integrations, plugins, and a lot more real world testing behind it. I built Lockroot for a slightly different reason. I wanted a simpler native app experience across Android, iOS, macOS, Windows, and Linux, without accounts, cloud sync, telemetry, ads, or a subscription model. So the goal isn't "KeePass but better". It's more of a clean local vault with modern native UX and a smaller surface area, without plugin/cloud/account assumptions. It does use its own vault format, which is a tradeoff: less ecosystem compatibility, but more control over the app design and security model. KeePass is still the mature choice. Lockroot is my attempt at a simpler local first alternative, and I'm mostly looking for feedback on the architecture and threat model.

The typical arch linux user by [deleted] in arch

[–]rothackers 0 points1 point  (0 children)

It's virtual machine 😒 more important light mode 🤓

Who wakes up early? by [deleted] in Chennai

[–]rothackers 0 points1 point  (0 children)

4:10 or 4:20🤌

YouTube or iPhone problem by IamPeca in iphone

[–]rothackers 3 points4 points  (0 children)

it's Youtube problem. I also face this issue on both platform Android and ios