At Secure Messaging App, we take security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

Please report security vulnerabilities by emailing us at:

Email: [email protected]

Please include the following information in your report:

• Type of vulnerability
• Path or location of the vulnerable code
• Step-by-step instructions to reproduce the issue
• Impact of the vulnerability
• Any potential mitigations you've identified
• Whether you'd like to be credited for the finding (and if so, how you'd like to be credited)

• Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours.
• Communication: We will keep you informed of the progress towards fixing and releasing the necessary patches.
• Disclosure: We ask that you do not publicly disclose the vulnerability until we have had a chance to address it.

Secure Messaging App uses a multi-layered encryption approach:

1. Key Exchange: RSA-4096 for secure exchange of session keys
2. Message Encryption: AES-256-GCM for all message content
3. Message Authentication: GCM mode provides authentication and integrity verification

• Zero Storage: No message content is stored on the server
• Perfect Forward Secrecy: New session keys are generated regularly
• No Backdoors: The entire codebase is open source and auditable
• Modern Cryptography: Using only well-vetted cryptographic algorithms and implementations
• Secure Key Management: Proper handling of cryptographic keys with secure memory management

This application has not yet undergone a formal security audit. We are actively seeking security researchers to review our implementation.

If you are interested in conducting a security audit of this application, please contact us.

We regularly monitor our dependencies for known vulnerabilities using automated tools. Updates for security patches are prioritized and applied as soon as possible.

1. Keep Your Client Updated: Always use the latest version to benefit from security updates
2. Verify Identity: Always verify the identity of the person you're communicating with
3. Secure Your Device: Keep your device secure to protect the client application
4. Report Suspicious Activity: If you notice anything unusual, report it immediately

• This application does not provide protection against endpoint compromise (if your device is compromised, the encryption cannot protect your messages)
• The application does not implement perfect forward secrecy at the device level (if your long-term private key is compromised, past messages could potentially be decrypted)

Last updated: May 10, 2025