Skip to content

Security: phnx-im/air

SECURITY.md

Security Policy

Thank you for helping keep Air and its users safe. We appreciate your help.

Reporting a vulnerability

Please do not report security vulnerabilities through public GitHub issues, pull requests, discussions, social media, or public forums.

Instead, please report vulnerabilities privately using one of these methods:

If possible, please include:

  • A description of the issue and its potential impact.
  • Steps to reproduce the issue.
  • The affected platform, app version, commit, or environment.
  • Any relevant proof of concept, logs, screenshots, or test data.
  • Whether you believe user messages, encryption keys, authentication tokens, metadata, or account access may be affected.

We will make a good-faith effort to acknowledge your report within three business days and provide updates as we investigate.

Coordinated disclosure

We follow a coordinated-disclosure process. Please give us a reasonable opportunity to investigate and release a fix before disclosing details publicly. We are happy to credit you in any advisory once the issue is resolved, unless you prefer to remain anonymous.

Safe harbor

We will not pursue or support legal action against anyone who, in good faith, discovers and reports a vulnerability in accordance with this policy. This includes accessing only the minimum amount of data needed to demonstrate the issue, avoiding privacy violations and disruption to our services, and not exfiltrating, modifying, or destroying data. If in doubt, contact us first.

There aren't any published security advisories