Prototype Software Disclaimer
The xx network public alpha is prototype software. It is not ready to be used as intended in hostile environments. It may contain vulnerabilities that expose you to additional risk. Do not use it if you are at risk, and please do not run it on systems or networks where you keep sensitive data at this time.
While the public alpha software is built to provide privacy by protecting metadata as well as provide end-to-end encryption, it contains known security limitations and it may contain unknown vulnerabilities or otherwise not implement the features it’s developers intend. This document discusses the limitations known about the client and server applications as we currently know them as we release the public alpha messenger.
Reporting Problems
If you find a problem that could be a security problem, please contact us at [email protected] and encrypt the message using the PGP keys that can be found on the MIT PGP public key server, https://pgp.mit.edu. Please remember that subject lines in pgp titles are not encrypted. You can also contact members of our team directly, in person, to exchange information.
If your problem is not security related, you can report to [email protected]. Please note that we will not offer any bug bounties during the prototype period but that we will publish and give credit to individuals who report bugs to us.
Key Problems in the Current Network
The key problems with the xxx network public alpha are:
-
The final design for the mixnet encryption AND the client-to-client end-to-end communication has not been finalized and vetted.
-
The metadata protection has not been thoroughly vetted with a network analysis.
-
It has not been independently reviewed by 3rd parties.
If you are interested in helping us with any of the above, please let us know.