The Vauchi team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
Do NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
Include the following information:
- Type of vulnerability (e.g., buffer overflow, cryptographic weakness, data exposure)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment and potential attack scenarios
| Timeline | Action |
|---|---|
| 24 hours | Acknowledgment of your report |
| 72 hours | Initial assessment and severity classification |
| 7 days | Detailed response with remediation plan |
| 90 days | Public disclosure (coordinated with reporter) |
We will keep you informed of our progress throughout the process.
In Scope:
vauchi-core- Cryptographic implementation, key management, data storagevauchi-platform- UniFFI bindings, mobile-specific security
Out of Scope:
- Third-party dependencies (report directly to maintainers, but let us know)
- Social engineering attacks
- Denial of service attacks that don't reveal design flaws
- Issues in development/test environments only
We consider security research conducted in accordance with this policy to be:
- Authorized under the Computer Fraud and Abuse Act (CFAA)
- Exempt from DMCA restrictions on circumvention
- Lawful and helpful to the overall security of the project
We will not pursue legal action against researchers who:
- Act in good faith
- Avoid privacy violations, data destruction, and service disruption
- Report findings promptly and allow reasonable time for remediation
- Do not exploit vulnerabilities beyond proof-of-concept
We recognize security researchers who help improve Vauchi:
- Acknowledgment in release notes (with permission)
- Listing in our Security Hall of Fame (optional)
- Reference letters for researchers (upon request)
We are a nonprofit and cannot offer monetary bounties at this time.
For details on Vauchi's security architecture, see:
- Threat Analysis -
_private/docs/reference/threat-analysis.md(internal) - Security Audit Checklist -
_private/docs/reference/security-audit.md(internal) - Architecture - System design
| Property | Implementation |
|---|---|
| End-to-end encryption | XChaCha20-Poly1305 with per-contact keys |
| Forward secrecy | Double Ratchet protocol (X3DH key agreement) |
| Key derivation | HKDF-SHA256 with domain separation |
| Password protection | Argon2id + zxcvbn validation |
| Key exchange | X25519 (Diffie-Hellman) + Ed25519 (signatures) |
| Key zeroing | zeroize crate for memory cleanup |
| Cryptographic library | RustCrypto audited crates (primary), aws-lc-rs for TLS only |
| Version | Supported |
|---|---|
| 1.x.x | Yes |
| < 1.0 | No (pre-release) |
- Security issues: security@vauchi.app
- General questions: hello@vauchi.app
- Project: https://github.com/vauchi