Security
Q-Audion is end-to-end encrypted post-quantum messaging and voice. We treat security reports as first-class engineering work. This page is the canonical reporting channel until the managed bug bounty goes live.
Contact
Will be published here alongside the public key block before the public 1.0 release.
Open a draft security advisory in the Security tab of the relevant Q-Audion repository (GitHub private vulnerability reporting).
What we commit to
- Acknowledgement within 48 business hours of receipt
- Triage and severity classification within 5 business days
- 90-day coordinated disclosure window by default, extended only with reporter agreement when a complex fix is required
- Public credit in release notes unless you ask for anonymity
Bug bounty
A managed bug bounty program will be live before the public 1.0 release. Until then, we offer good-faith rewards on a case-by-case basis for high-impact findings.
Scope
- +All Q-Audion server code (identity, key management, transport, group, prekey, file storage)
- +All published Q-Audion clients on Android, iOS and Desktop (Windows / macOS / Linux when shipped)
- +Cryptographic protocol design (PQ handshake, post-quantum double ratchet, Sealed Sender, Sigsum Key Transparency)
- +Wire-spec drift causing cross-platform unsafe behavior
- −Issues requiring physical access to an unlocked device
- −Self-inflicted XSS without crossing a trust boundary
- −Outdated browser/OS versions per vendor support windows
- −Volumetric DDoS without a logic flaw
- −Social engineering of Q-Audion staff
- −Reports based on automated scanner output without a working proof-of-concept
Open wire specification
The cross-platform protocol contract is byte-identical across all Q-Audion clients. The spec is mirrored across the client repositories and the server repository as the gating commit for any wire change. Independent reviewers can read it before opening a session — and library implementations (liboqs, BouncyCastle, @noble/post-quantum) are cross-validated against shared KAT vectors.
Reproducible builds (1.0 target)
All 1.0 release artifacts (APK, IPA via TestFlight, Desktop installers) will be Sigstore-signed. Independent reproducibility from source is a release-go criterion: anyone can verify the shipped binary matches the public source.