Security & coordinated disclosure

We treat security reports with care, urgency, and respect.

If you have found a security vulnerability in Sealr (the mobile apps, the marketing site, our infrastructure, our crypto, or any related system), please report it to us before disclosing it publicly. We'll work with you in good faith to investigate, fix, and credit you.

How to report

Coordinated disclosure security@sealr.chat

Please include:

• A short description of the issue.
• Steps to reproduce, with a minimal proof-of-concept if possible.
• The affected platform / app version / domain.
• Your impact assessment.
• Your name or handle, and whether you want public credit when we publish a fix.

Our commitment

• Acknowledge your report within 2 business days.
• Provide a triage assessment within 5 business days.
• Keep you informed as we investigate and fix.
• Credit you in our release notes (only if you want).
• Not pursue legal action against good-faith research that follows this policy.

Scope

In scope:

• The Sealr mobile apps (iOS, Android) on the latest released version.
• This website (sealr.chat) and its sub-domains.
• Our backend APIs and infrastructure (Firebase project, hosting, cloud functions).
• End-to-end encryption, key management, recovery vaults, message policy enforcement.

Out of scope:

• Social engineering of our team or our vendors.
• Physical attacks against our infrastructure.
• Denial of service that requires sustained traffic.
• Reports based on outdated software versions.
• Issues in third-party providers (please report those to the provider).

Safe harbor

We consider security research conducted in line with this policy to be authorised under our acceptable-use terms and we will not pursue legal action against you for activity that:

• Is performed in good faith.
• Does not compromise any user's data or privacy beyond what is necessary to demonstrate the issue.
• Stops as soon as you have enough information to file a report.
• Is reported to us before any public disclosure.

Public disclosure

We aim to publish a brief post-mortem (in our release notes or here) for non-trivial vulnerabilities once they have been fixed and users have had time to update.

Machine-readable contact

Our /.well-known/security.txt follows RFC 9116.