Plural Chat is built with privacy and security as core principles. We take security seriously because:

• Your data is yours - We don't collect, store, or transmit user data
• Local-first architecture - Everything stays on your device
• Plural community trust - Systems need safe spaces to communicate
• Open source transparency - All code is public and auditable

We actively maintain security for:

Always use the latest version for the best security and features.

Please DO NOT report security vulnerabilities through public GitHub issues.

For security issues, contact us privately:

1. Discord DM: Message duskfallcrew on our Discord
2. GitHub Security: Use GitHub's security advisory feature
3. Email: If you have our email, that works too

Please include as much of the following as possible:

• Vulnerability description - What's the issue?
• Impact assessment - What could an attacker do?
• Reproduction steps - How to reproduce the issue
• Affected versions - Which versions are vulnerable
• Proposed solution - If you have ideas for fixing it
• Your contact info - So we can follow up

• 24 hours - Initial acknowledgment
• 72 hours - Initial assessment and severity rating
• 1 week - Detailed investigation and fix timeline
• 2 weeks - Fix developed and tested (for high severity)
• Public disclosure - After fix is released and users have time to update

• No cloud storage - All data stays on your device
• No user accounts - No authentication servers to compromise
• No telemetry - We don't track usage or collect analytics
• Offline capable - Works without internet connection

• URL validation - Only trusted domains allowed
• File type checking - Only image files accepted
• Size limits - Prevents resource exhaustion
• Path traversal prevention - Secure local file storage
• Automatic compression - Reduces file size and removes metadata

• SQLite local storage - No remote database connections
• Parameterized queries - SQL injection prevention
• File permissions - Restrictive access controls
• No sensitive data - PluralKit tokens stored securely

• HTTPS only - All external connections use TLS
• Trusted domains - Whitelist approach for external resources
• Rate limiting - Prevents abuse of external APIs
• Timeout handling - Prevents hanging connections

• Input validation - All user inputs sanitized
• Error handling - Graceful failure without information leakage
• Dependency management - Regular updates of third-party libraries
• Code review - All changes reviewed before merging

• Local database - No network exposure
• Chat history - Stored locally only
• Member data - Private to your system
• Themes - Static configuration files

• Avatar downloads - External image fetching
• PluralKit API - Third-party API integration
• File imports - JSON/export file parsing
• Plugin system - When implemented, will need sandboxing

• Token storage - PluralKit tokens need secure storage
• External images - Avatar URLs from untrusted sources
• Export parsing - Malicious export files
• Future web features - Any future web integration

• Keep updated - Always use the latest version
• Trusted sources - Only download from official GitHub releases
• Review imports - Be cautious with export files from unknown sources
• Secure your device - Use device encryption and strong passwords
• PluralKit tokens - Don't share your PK token with anyone

• Follow secure coding practices - See CONTRIBUTING.md
• Validate all inputs - Never trust user-provided data
• Use parameterized queries - Prevent SQL injection
• Review dependencies - Keep third-party libraries updated
• Test security features - Verify validation and sanitization

Before releasing, we verify:

• All user inputs validated - No direct database queries
• External URLs whitelisted - Only trusted domains allowed
• File uploads sanitized - Images processed safely
• Error handling complete - No sensitive info in error messages
• Dependencies updated - All libraries are current
• Code reviewed - Security-focused review completed

✅ Yes - All data stays on your device, we never see it

✅ Protected - Tokens are stored securely and never transmitted except to PluralKit

✅ Validated - Only trusted domains, file type checking, size limits

⚠️ Validated - We parse carefully, but always review imports from unknown sources

🔮 Future feature - Will be sandboxed with explicit permission system

If a security issue is discovered:

1. Immediate containment - Assess and contain the issue
2. User notification - Alert users via GitHub and Discord
3. Emergency patch - Develop and test fix rapidly
4. Release update - Push fix to users immediately
5. Post-incident review - Analyze how to prevent similar issues

We track:

• Vulnerability disclosure time - How quickly we respond
• Fix deployment time - How quickly fixes reach users
• Security-related issues - GitHub issues labeled security
• Dependency updates - Frequency of security updates

Planned improvements:

• Code signing - Verify download authenticity
• Automatic updates - Security patches delivered automatically
• Enhanced token encryption - Stronger protection for stored tokens
• Plugin sandboxing - Secure plugin execution environment
• Security audits - Regular third-party security reviews

Learn more about security:

• OWASP Top 10 - Common web vulnerabilities
• Python Security Guide - Python-specific security
• SQLite Security - Database security best practices
• Secure Coding Practices - General secure coding

Responsible disclosure contributors:

• None yet - be the first!

We appreciate:

• Responsible disclosure of vulnerabilities
• Detailed reports with reproduction steps
• Patience during investigation and fix process
• Suggestions for security improvements

Security questions welcome:

• Discord: https://discord.gg/HhBSvM9gBY
• GitHub Issues: For non-sensitive security discussions
• Security Advisory: For private vulnerability reports

Security is a community effort. Thank you for helping keep Plural Chat safe for everyone in the plural community!

Security is not a product, but a process. Let's build it together. 🔒