# Security Policy pvtcoms is a security- and privacy-critical project. We take vulnerabilities seriously and appreciate responsible disclosure. > **Status:** pre-alpha, **not yet audited**. Treat the current code as experimental. ## Reporting a vulnerability **Please report privately — do NOT open a public issue for security problems.** - Preferred: a private security advisory on the project's repository (GitHub "Report a vulnerability"), or email the maintainers (contact published with the first release / project page — TBD). - Please include: affected component/version, a description, and reproduction steps or a proof of concept. - We aim to acknowledge reports promptly and to coordinate a fix and disclosure timeline with you. - A PGP key for encrypted reports will be published with the first release. There is no paid bug-bounty program yet. ## Scope In scope: the Rust core (crypto, transport, mailbox, wire protocol, storage), the FFI surface, and the official Android/desktop clients. The **trust boundary and explicitly out-of-scope threats** (e.g. a compromised OS or 0-click spyware, user-granted screen-scrapers) are documented in [`THREAT_MODEL.md`](./THREAT_MODEL.md) — please read it before reporting endpoint-compromise issues. ## Supply chain & dependencies - Dependencies are pinned (`Cargo.lock`) and gated by [`deny.toml`](./deny.toml) (`cargo deny` / `cargo audit` in CI). Native libraries (OpenSSL, SQLite under SQLCipher) are scanned separately. - Reproducible builds are a goal so the published binary can be verified against this source. - Developer guidance and the secure-config checklist live in `docs/SECURITY.md`. ## Our commitments No telemetry/analytics. Secrets are never logged. We fail closed (no clear-net fallback). A named third-party audit is a release gate before any public "secure/anonymous" claim.