| Version | Supported |
|---|---|
| 1.x | ✅ Security updates |
| < 1.0 | ❌ No longer supported |
Please do NOT open a public GitHub issue for security vulnerabilities.
Preferred: Use GitHub's built-in Private Vulnerability Reporting to submit reports directly on GitHub.
Fallback: If GitHub private reporting is unavailable, email the maintainer at the address listed in the GitHub profile.
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
| Step | Timeframe |
|---|---|
| Acknowledgment | Within 72 hours |
| Initial assessment | Within 1 week |
| Fix development | Depends on severity |
| Coordinated disclosure | After fix is released |
The following areas are in scope for security reports:
- E2EE implementation — Key generation, AES-256-GCM encryption/decryption, IV handling
- WebSocket protocol — Message injection, replay attacks, protocol downgrade
- Server relay logic — Information leakage, unauthorized room access, denial of service
- Authentication bypass — Room password bypass, share code prediction
- Client-side crypto — Key exposure, side-channel attacks, weak randomness
Out of scope:
- Social engineering attacks
- Denial of service via resource exhaustion (known limitation of free-tier hosting)
- Issues in third-party dependencies (report upstream)
We follow coordinated disclosure:
- Reporter submits vulnerability privately
- We acknowledge and assess
- We develop and test a fix
- We release the fix and publish a security advisory
- Reporter receives credit in the advisory (unless anonymity is requested)
We believe in recognizing security researchers. Unless you request anonymity, you will be credited in:
- The GitHub Security Advisory
- The release notes for the fixing version
- The project's SECURITY.md acknowledgments section
No vulnerabilities reported yet. Be the first responsible disclosure!