Security & Open Source
1. Local-first: your data stays on your computer
Everything you put into CS2 Vault — holdings, trade history, cost basis, tax settings, API keys — is stored in a local database on your own machine. There is no CS2 Vault account, no cloud sync, and no server of ours that ever receives your portfolio. If you unplug the network, the app keeps working with your data intact.
For a tool that knows what your portfolio is worth and estimates your tax position, we think this is the right default: the most secure server is the one that doesn't exist.
2. Open source: audit it, don't trust it
The full source code is public at github.com/Rudizzle123/cs2vault-electron — the app you download is built from that repository. That means anyone can verify the claims on this page:
- What leaves your machine — every network call in the app goes through a single bridge in the Electron main process. You can search the code and see exactly which services are contacted and what is sent.
- How the tax engine works — every rate, allowance and calculation for all 10 jurisdictions is readable in plain JavaScript, not a black box.
- What gets stored — the local storage keys and their contents are defined in one place in the source.
If you find a security issue, please open an issue on the repository (or report it privately via GitHub's security advisory feature).
3. What the app connects to
The app makes direct requests from your computer to a small set of third-party services — pricing (CSFloat, Steam Community Market, optionally Pricempire), foreign-exchange rates (frankfurter.app / open.er-api.com), and GitHub Releases for update checks. These go straight from your device to the provider; we don't proxy or log them. The full list and what each receives is in our Privacy Policy.
4. Steam credentials (upcoming storage-unit import)
Today, inventory import uses only Steam's public inventory endpoint — no login, no credentials. A planned Vault Pro feature will import storage-unit contents, which Steam only exposes to a logged-in game session. When that ships, here is how credentials will be handled:
- You log in to Steam on your own machine, inside the app's main process — your credentials are used only to establish the Steam session and are never sent to us or any third party other than Steam itself.
- Your password is never stored. Only the session refresh token is kept, so you don't have to log in every time.
- That token is encrypted with Electron's
safeStorage, which uses your operating system's own credential encryption (DPAPI on Windows). It is readable only by your OS user account on that machine. - Steam Guard stays fully in effect — the app can't and doesn't bypass it.
Because the code is open source, this design will be verifiable in the repository when the feature ships, not just described here.
5. Payments
Vault Pro payments are handled entirely by Paddle as merchant of record. Your card details go to Paddle, never to us or through the app. The app itself only ever handles your licence key. Details are in the Privacy Policy.
6. Honest limits
No software is "unhackable" and we won't claim otherwise. The local-first design means the main thing protecting your data is the security of your own computer and OS user account — the same boundary that protects your documents and browser profile. Keep your OS updated, use disk encryption if the machine is shared or portable, and treat exported JSON backups as sensitive files, because they contain your full portfolio in plain text.
CS2 Vault is developed by a solo developer. Open-sourcing the code is a deliberate part of the security posture: more eyes on the code than one person could ever provide.
This page describes the app's architecture in good faith as of the date above. It is not a warranty or a guarantee of security. See the Terms and Privacy Policy for the legal terms that apply.