Hush is a privacy and security tool. We take vulnerabilities extremely seriously and ask the community to disclose them responsibly.

Please do not open public issues, pull requests, or discussions for security bugs.

Report privately via GitHub Security Advisories ("Report a vulnerability" on the Security tab) or by encrypted email to the maintainers' published key. Include:

• A description of the issue and its impact.
• Steps to reproduce, or a proof of concept.
• Affected versions / commit hashes.

We aim to acknowledge reports within 72 hours and to provide a remediation timeline within 7 days. We support coordinated disclosure and will credit reporters who wish to be named once a fix is released.

Because of our threat model, the following are in scope and treated as high severity:

• Any path by which plaintext message or attachment content or long-term private keys could reach a relay or third party.
• Breaks in forward secrecy or post-compromise security.
• Metadata leaks beyond what the threat model documents as accepted (e.g. a relay being able to link the two ends of a conversation, tie a queue to an identity, or reconstruct the social graph; unnecessary plaintext identifiers on the wire).
• Failures in key verification (safety numbers / QR) that enable undetected MITM.
• Weakening of encryption-at-rest for local storage or key material.
• Downgrade attacks, missing zeroization of secrets in memory, nonce/IV reuse.

• Attacks requiring a fully compromised endpoint (root on the user's device). We document the limits of post-compromise recovery in the threat model rather than claiming defense.
• Denial of service against public infrastructure without a privacy/integrity impact.
• Social engineering of users or maintainers.

• We never ship hand-rolled cryptographic primitives; we depend on audited libraries.
• We document every accepted residual risk in THREAT_MODEL.md.
• Security fixes are prioritized over features and are released as soon as practical.