Security is at the core of EchoChat. We take all security reports seriously and appreciate the security research community's efforts in helping us maintain a secure platform.
- End-to-end encryption implementation (X25519, AES-256-GCM)
- Key exchange vulnerabilities
- Authentication/authorization bypasses
- Session management flaws
- WebSocket security issues
- Local data storage security
- Information disclosure
- Cryptographic weaknesses
- Denial of Service (DoS) attacks
- Social engineering
- Physical attacks
- Issues in dependencies (report to upstream)
- Issues requiring physical device access
- Theoretical attacks without proof of concept
- β Open a public GitHub issue
- β Disclose publicly before we've addressed it
- β Exploit vulnerabilities against production systems
- β Access other users' data
-
Use GitHub's Private Security Reporting
- Go to Security β Report a vulnerability
- Or email details privately
-
Include in Your Report
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
-
Give Us Time
- We aim to respond within 48 hours
- Please allow up to 90 days for fixes before disclosure
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLIENT SIDE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β Private keys never leave device β
β β Messages encrypted before transmission β
β β Keys stored in secure enclave/keychain β
β β Session tokens are random, not user-identifying β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
β Only encrypted data
βΌ
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β SERVER SIDE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β Zero knowledge of message contents β
β β No persistent user data storage β
β β Sessions auto-expire after 3 days β
β β Only anonymous tokens, no user tracking β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Purpose | Algorithm | Notes |
|---|---|---|
| Key Exchange | X25519 | Curve25519 ECDH |
| Encryption | AES-256-GCM | Authenticated encryption |
| Nonce | 96-bit random | Per-message |
| Key Storage | Platform Keychain | iOS Keychain / Android Keystore |
We believe in recognizing security researchers who help us:
- Public acknowledgment (if desired)
- Hall of Fame listing (coming soon)
- We're a small project, but we appreciate your help!
- GitHub Security Advisory: Preferred method
- Response Time: Within 48 hours
We support security research conducted in good faith. We will not pursue legal action against researchers who:
- Make a good faith effort to avoid privacy violations
- Do not exploit vulnerabilities beyond proof of concept
- Report vulnerabilities promptly
- Do not disclose issues before they're fixed
Thank you for helping keep EchoChat secure! π‘οΈ