Thank you for helping keep Air and its users safe. We appreciate your help.
Please do not report security vulnerabilities through public GitHub issues, pull requests, discussions, social media, or public forums.
Instead, please report vulnerabilities privately using one of these methods:
- GitHub Private Vulnerability Reporting for this repository
- Email us at [email protected]. For sensitive reports you can encrypt your email to our PGP key, published at https://air.ms/.well-known/air-security.asc.
If possible, please include:
- A description of the issue and its potential impact.
- Steps to reproduce the issue.
- The affected platform, app version, commit, or environment.
- Any relevant proof of concept, logs, screenshots, or test data.
- Whether you believe user messages, encryption keys, authentication tokens, metadata, or account access may be affected.
We will make a good-faith effort to acknowledge your report within three business days and provide updates as we investigate.
We follow a coordinated-disclosure process. Please give us a reasonable opportunity to investigate and release a fix before disclosing details publicly. We are happy to credit you in any advisory once the issue is resolved, unless you prefer to remain anonymous.
We will not pursue or support legal action against anyone who, in good faith, discovers and reports a vulnerability in accordance with this policy. This includes accessing only the minimum amount of data needed to demonstrate the issue, avoiding privacy violations and disruption to our services, and not exfiltrating, modifying, or destroying data. If in doubt, contact us first.