Obsidian ← Home

Security & responsible disclosure

Obsidian is an end-to-end-encrypted messenger. Good-faith security research is welcome and appreciated.

Context: this is a personal project in closed pre-alpha. Response is best-effort by a solo maintainer — no formal SLA.

Reporting a vulnerability

Please report privately — do not post a security bug publicly before we've had a chance to fix it.

Email contact@obsidianchat.in with the subject line starting SECURITY:.
Include: what you found, where (screen/endpoint/behaviour), how to reproduce it, and the impact.

You can expect a best-effort acknowledgement and, where a fix is warranted, a follow-up once it lands.

Safe harbour

We will not pursue or support legal action against researchers who, in good faith:

access only their own accounts/data (or test data) while investigating,
avoid privacy violations, data destruction, and service degradation for others,
give us a reasonable chance to remediate before public disclosure.

Scope

In scope — the trust boundaries that matter:

The crypto pipeline — AES-256-GCM with RSA-2048-OAEP key wrapping, authenticated data binding, key rotation.
The sealed-sender + mailbox-token design — anything that lets relay data reconstruct who talked to whom (see How to attack this).
Key storage — OS secure store (keys) and SQLCipher (local database).
Relay access rules — message/media create and read scoping, user enumeration.
Authentication — login and registration.

Out of scope — known or accepted:

Social engineering, phishing, or physical access to an unlocked device.
Denial-of-service / volumetric attacks on the relay.
Findings that require a compromised OS / rooted device with the secure store already defeated.
The residual metadata leaks already documented in the threat model (timing, IP addresses, traffic volume, the transient friend-request record).

Not a vulnerability (by design)

The relay can see an opaque mailbox token and a timestamp for each message, for ≤24h before the wipe — it never sees content, sender, or recipient identity. See the privacy policy.
A user's public key is intentionally shared so friends can encrypt to them.

security.txt

This site publishes /.well-known/security.txt (RFC 9116).