We take security seriously at Privatus-chat. The following versions are currently supported with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability, please DO NOT create a public GitHub issue. Instead, please report it responsibly using one of the following methods:
Send details to: [email protected]
Please encrypt your email using our PGP key:
-----BEGIN PGP PUBLIC KEY BLOCK-----
[PGP Key would be here in production]
-----END PGP PUBLIC KEY BLOCK-----
Use GitHub's private security advisory feature:
- Go to the Security tab
- Click "Report a vulnerability"
- Fill out the form with details
When reporting a vulnerability, please include:
- Description: Clear explanation of the vulnerability
- Impact: What can an attacker achieve?
- Steps to Reproduce: Detailed steps to trigger the vulnerability
- Affected Versions: Which versions are vulnerable?
- Proof of Concept: Code or screenshots if applicable
- Suggested Fix: If you have ideas for remediation
- Initial Response: Within 48 hours
- Status Update: Within 7 days
- Fix Timeline: Depends on severity (see below)
| Severity | Description | Fix Timeline |
|---|---|---|
| Critical | Remote code execution, key compromise | 24-48 hours |
| High | Data breach, authentication bypass | 7 days |
| Medium | Information disclosure, DoS | 30 days |
| Low | Minor issues with limited impact | 90 days |
- Code Review: All code is reviewed before merge
- Automated Security Scanning: Regular vulnerability scans
- Dependency Updates: Regular updates of dependencies
- Security Audits: Periodic third-party audits
- Bug Bounty Program: Rewards for responsible disclosure
Our cryptographic implementations use:
- Algorithms: Only NIST-approved or widely-audited algorithms
- Libraries: Well-maintained, audited cryptographic libraries
- Key Management: Secure key generation and storage
- Random Numbers: Cryptographically secure random number generators
- Principle of Least Privilege: Minimal permissions required
- Defense in Depth: Multiple layers of security
- Input Validation: All user input is validated
- Output Encoding: Proper encoding to prevent injection
- Error Handling: Secure error messages without information leakage
We run a bug bounty program to reward security researchers.
In scope:
- Privatus-chat application (all versions)
- Cryptographic implementations
- Network protocols
- Key management systems
- Authentication mechanisms
Out of scope:
- Denial of Service attacks
- Social engineering
- Physical attacks
- Attacks requiring physical access
Rewards are based on severity and impact:
| Severity | Reward Range |
|---|---|
| Critical | $1,000 - $5,000 |
| High | $500 - $1,000 |
| Medium | $100 - $500 |
| Low | $50 - $100 |
- Responsible Disclosure: Report privately first
- No Damage: Don't harm users or systems
- No Data Theft: Don't access user data
- Good Faith: Act in good faith
- No Public Disclosure: Wait for fix before public disclosure
- Signal Protocol implementation
- Perfect forward secrecy
- Post-compromise security
- Onion routing for metadata protection
- Traffic analysis resistance
- No IP address leakage
- Encrypted local database
- Secure key storage
- Automatic secure deletion
- Certificate pinning
- Man-in-the-middle protection
- Secure peer verification
- Report Received: We acknowledge receipt
- Verification: We verify the vulnerability
- Fix Development: We develop a fix
- Testing: Thorough testing of the fix
- Release: Security update released
- Disclosure: Coordinated public disclosure
We credit researchers who:
- Report valid vulnerabilities
- Follow responsible disclosure
- Work with us on fixes
Credits appear in:
- Security advisories
- Release notes
- Hall of Fame
Past security advisories can be found in the Security Advisories section.
- Email: [email protected]
- PGP Key: Download
- Bug Bounty: [email protected]
We are committed to:
- Fast response to security issues
- Transparent communication
- Regular security updates
- Continuous security improvement
Thank you for helping keep Privatus-chat secure!