Security

Security is the product here, not a feature — so we treat reports as gifts. If you have found a weakness in the YGOOW relay, the Android app, or the cryptography, we want to hear from you.

How to report

Email security@ygoow.com. A machine-readable contact lives at /.well-known/security.txt (RFC 9116). A PGP key for encrypted reports is coming; until then, include a secure way to reach you and we will set up an encrypted channel before exchanging details.

Please tell us what you found, how to reproduce it, and the impact you believe it has. A working proof-of-concept helps us confirm quickly.

What we commit to

• No legal action against good-faith research that respects the boundaries below. Test against your own devices and your own data.
• Acknowledgement within a few days, and honest updates as we work the issue.
• Credit when a fix ships — publicly if you want it, silently if you do not.
• Coordinated disclosure: give us a reasonable window to fix before going public. We will not sit on it.

In scope

• The relay server — API, WebSocket, store-and-forward, one-time token handling.
• The Android app — key handling, on-device storage, the embedded Tor path.
• The cryptographic core — key derivation, AEAD (“Variant C”), the forward-secrecy ratchet, Shamir quorum, identity and QR exchange.

Out of scope

• Social engineering, physical attacks, or anything targeting our users or staff.
• Denial-of-service or volumetric testing against the live relay.
• Findings that require an already-compromised device — we say plainly that no messenger survives that.
• Automated-scanner output with no demonstrated impact.

What we don’t pretend

We do not run a paid bug bounty yet, and we will not imply otherwise. What we offer is a fast, honest, no-lawyers response and public credit. As the project matures — and ahead of the independent audit we have committed to — this will grow.