Skip to main content Voidlogue Security - Open-Source Cryptography & Privacy Skip to main content
Conversation Revelation Pricing

Security

Open-Source Cryptography

Published for independent audit and verification

Our cryptographic code is open-source and published on npm for anyone to inspect, audit, and verify. Don't take our word for it — check it yourself.

Our Code is Open-Source

Voidlogue's cryptographic primitives are published as the voidlogue-crypto package on npm. This is exactly the same code running in your browser when you use Voidlogue.

The package includes:

  • VoidShield — Core cryptographic operations for conversations and revelations
  • Vault — Local encryption for saved conversation credentials
  • Complete test suite — Comprehensive tests covering all cryptographic operations
  • Security documentation — Technical details of our security measures

We encourage you to audit our code. Install the package, run the tests, and verify that our privacy claims hold up under scrutiny.

Independent Audit & Verification

To prove our privacy claims, we've made our cryptographic implementation completely transparent. The voidlogue-crypto package demonstrates:

  • We cannot read your messages — Client-side encryption with keys never sent to our servers
  • We cannot read your Revelations — Media encryption with keys derived from security fields you control
  • Your saved shortcuts are locally encrypted — PIN-based encryption that never leaves your device

Report vulnerabilities: If you find any security issues in our cryptographic implementation, please email security@voidlogue.com. We will acknowledge within 48 hours and aim to resolve critical issues within 7 days.

Cryptographic Security Measures

Encryption Algorithms

  • AES-256-GCM — Industry-standard authenticated encryption with 256-bit keys
  • PBKDF2 — Key derivation with 600,000 iterations (2,000,000 for local vault)
  • Post-quantum hybrid — Kyber-768 + AES-256-GCM protection against future quantum attacks

Key Security

  • Client-side key derivation — Keys are never transmitted to our servers
  • Non-extractable keys — Web Crypto API prevents key export
  • Random IVs — Each encryption operation uses a unique initialization vector

Implementation Details

  • Web Crypto API — Hardware-accelerated cryptography in your browser
  • No third-party crypto libraries — Zero dependencies for cryptographic operations
  • Comprehensive testing — Full test coverage of cryptographic primitives

What We Protect Against

Our security measures are designed to protect against common threats:

  • Server compromise — We store only ciphertext that cannot be decrypted
  • Legal demands for content — We have no decryptable content to provide
  • Physical device access — Local vault encryption protects saved credentials
  • Brute force attacks — High iteration counts make key derivation computationally expensive
  • Future quantum computing — Post-quantum hybrid encryption provides forward security

Security Limitations

While we provide strong cryptographic protections, no system is completely secure. We cannot protect against:

  • Metadata analysis — Who communicates with whom and when
  • Network surveillance — Traffic analysis and interception
  • Compromised devices — Malware or physical access to your device
  • Social engineering — Phishing or other human-targeted attacks
  • Google account compromise — Our authentication layer

Verify Our Code

To verify that the deployed code matches the open-source package:

  1. Open voidlogue.com in your browser
  2. Open Developer Tools (F12) → Sources
  3. Search for "VoidShield" or "voidlogue-crypto"
  4. Compare the implementation with the published source code

The cryptographic primitives are identical. Any differences would indicate a serious security issue.

Security Contact

Responsible disclosure: security@voidlogue.com

We appreciate security researchers who follow responsible disclosure practices. We will:

  • Acknowledge reports within 48 hours
  • Provide regular updates on our progress
  • Credit researchers in release notes (unless anonymity is requested)
  • Resolve critical issues within 7 days

Bug Bounty Program

Voidlogue is committed to the highest standards of security and privacy. To foster transparency and community involvement, we run a bug bounty program that rewards security researchers for responsibly disclosing vulnerabilities in our public-facing systems.

By participating, you help us strengthen Voidlogue's defenses and demonstrate our dedication to user privacy. Testing is conducted against the live platform at voidlogue.com, with client-side cryptography available in our public voidlogue-crypto repository.

Note: The bug bounty program is currently in setup phase and not yet active. We will announce when it goes live.

Scope

In Scope:

  • Voidlogue web application and API
  • Client-side encryption (Web Crypto API, AES-256-GCM, PBKDF2)
  • Revelation media handling and chunked encryption
  • Authentication and session management
  • Mobile app (if applicable)

Out of Scope:

  • Third-party services or libraries
  • Denial of Service attacks
  • Social engineering
  • Physical security

Rewards

Severity Description Reward
Critical Remote code execution, authentication bypass, encryption compromise $500–$1,000
High Significant vulnerabilities affecting message confidentiality $200–$500
Medium Logic flaws with moderate impact $50–$200
Low Minor issues $25–$50

How to Participate

  1. Review our full bug bounty policy
  2. Test responsibly without disrupting service
  3. Submit findings to security@voidlogue.com with detailed reproduction steps
  4. Receive acknowledgment within 48 hours
  5. Get paid upon validation and fix

Safe Harbor: We will not pursue legal action against researchers who follow this policy and conduct good-faith security research.