RESPONSIBLE DISCLOSURE
Security
BCrypto builds end-to-end encrypted post-quantum communication products (Q-Audion). We treat security reports as first-class engineering work. This page is the canonical reporting channel until the managed bug bounty goes live.
Contact
Will be published here alongside the public key block before the public 1.0 release.
Open a draft security advisory in the Security tab of the relevant BCrypto repository (GitHub private vulnerability reporting).
What we commit to
- Acknowledgement within 48 business hours of receipt
- Triage and severity classification within 5 business days
- 90-day coordinated disclosure window by default, extended only with reporter agreement when a complex fix is required
- Public credit in release notes unless you ask for anonymity
Bug bounty
A managed bug bounty program will be live before the public 1.0 release of Q-Audion. Until then, we offer good-faith rewards on a case-by-case basis for high-impact findings.
Scope
- +All BCrypto server code (identity, key management, transport, group, prekey, file storage)
- +All published Q-Audion clients on Android, iOS and Desktop
- +Cryptographic protocol design (PQ handshake, post-quantum double ratchet, Sealed Sender, Sigsum Key Transparency)
- +Wire-spec drift causing cross-platform unsafe behavior
- −Issues requiring physical access to an unlocked device
- −Self-inflicted XSS without crossing a trust boundary
- −Outdated browser/OS versions per vendor support windows
- −Volumetric DDoS without a logic flaw
- −Social engineering of BCrypto staff
- −Reports based on automated scanner output without a working proof-of-concept
Open wire specification
The cross-platform protocol contract is byte-identical across all Q-Audion clients. The spec is mirrored across the client repositories and the server repository as the gating commit for any wire change. Independent reviewers can read it before opening a session — library implementations (liboqs, BouncyCastle, @noble/post-quantum) are cross-validated against shared KAT vectors.
Reproducible builds (1.0 target)
All Q-Audion 1.0 release artifacts (APK, IPA via TestFlight, Desktop installers) will be Sigstore-signed. Independent reproducibility from source is a release-go criterion: anyone can verify the shipped binary matches the public source.