Skip to content
Security

Security & Responsible Disclosure

EmberChamber is currently in a public beta. We take the security of our messaging state and local caches seriously, and welcome audits and feedback from researchers.

Reporting a Vulnerability

If you discover a security issue, please disclose it to us responsibly. Do not publish vulnerability details publicly until we have had a reasonable timeframe to review and address the issue.

Security Contact Email

support@emberchamber.com

What to Include in Your Report

To help us understand and resolve the issue quickly, please include:

  • A clear description of the vulnerability and its potential impact.
  • Detailed step-by-step instructions (or a proof-of-concept script) to reproduce the behavior.
  • The specific platform (Web companion, Android client, Windows, or Ubuntu desktop shell) and version affected.
  • Your contact information and public PGP key if you wish to encrypt further communication.

In-Scope Areas

We are especially interested in reports addressing:

  • Client-side cryptographic failures in message decryption or group epoch state transitions.
  • Unauthorized access to other users' mailbox ciphertext envelopes on the hosted relay.
  • Remote code execution or sandbox escapes in Tauri desktop shells or Android APKs.
  • Local cache database decryption bypasses.

Out-of-Scope and Prohibited Activities

Responsible Testing Ground Rules

Please do not attack real users or disrupt service. The following actions are strictly out of scope and constitute violations of our terms:

  • Denial of Service (DoS/DDoS) attacks against the relay.
  • Spamming or sending unsolicited invitations to test endpoints.
  • Social engineering or phishing of EmberChamber users or developers.
  • Accessing or modifying data belonging to other active accounts without authorization.

Beta Status Notice

Because this is an active beta project, features and protocols are updated frequently. We do not currently operate a financial bug bounty program, but we will attribute credit to contributing security researchers in our Changelog and repository commit history.

For more information on our encryption boundaries, please see our Trust & Safety Model and the Official GitHub Security Policy.