Only the latest release receives security fixes. Check the releases page for the current version.
| Version | Supported |
|---|---|
| latest | Yes |
| older | No |
If you find a security issue in siggy, please report it privately:
- Do not open a public issue. Security bugs need to be handled carefully to avoid exposing users before a fix is available.
- Use GitHub's private vulnerability reporting: Report a vulnerability
- Alternatively, email the maintainer directly (see the GitHub profile for contact info).
Please include:
- A description of the issue and its potential impact
- Steps to reproduce or a proof of concept
- The version of siggy affected
- I will acknowledge your report within 48 hours.
- I will provide an initial assessment within 1 week.
- Fixes will be released as a patch version (e.g. v1.5.1) with credit to the reporter unless you prefer to remain anonymous.
siggy is a TUI layer over signal-cli. It does not implement cryptographic protocols or contact Signal servers directly. Security issues in the Signal Protocol itself should be reported to the Signal team.
Issues in scope for siggy include:
- Command injection or escape sequence injection
- Path traversal in attachment handling
- Information leakage (credentials, message content in logs/temp files)
- Denial of service via crafted input
- Any bypass of siggy's security features (incognito mode, debug redaction, etc.)