We tell you exactly what we protect — and what we don't.
Security theater is a liability. Below is the real cryptographic stack, an honest threat model, and the policy for reporting what we missed.
Cryptographic stack
| Key agreement | X3DH + PQXDH (post-quantum) |
| Message ratchet | Double Ratchet (libsignal) |
| Post-quantum | Kyber / ML-KEM |
| AEAD | ChaCha20-Poly1305 |
| Signatures | Ed25519 / Curve25519 |
| Transport | WSS relay (Cloudflare) · sealed sender |
| Local storage | Encrypted SQLite · ChaCha20-Poly1305 |
| Randomness | OS CSPRNG |
| Identity | DID:key (on-device) |
Threat model
Passive network adversary
E2EE + TLS transport. Sniffing yields only sealed ciphertext.
Active MITM
Key verification via QR / safety numbers. Key-change alerts in human language.
Device theft
SQLite with per-message encrypted content (ChaCha20-Poly1305; full-file SQLCipher planned) + biometric/app lock. Optional per-chat passwords and auto-wipe.
Key compromise
Forward secrecy + post-compromise security via the Double Ratchet; post-quantum key exchange (PQXDH).
Full metadata anonymity
The relay can see your IP, timing and volume (sealed sender hides who sent a message, not the network path). Tor transport is planned, not shipped.
Being tracked by radio, if you enable Bluetooth
While the nearby-Bluetooth transport is on, your phone advertises a stable identifier derived from your ID. It reveals neither your identity nor any message content, but someone physically near you with a BLE scanner could correlate the same phone appearing over time and place. Rotating that identifier is on the roadmap; until then the transport stays off unless you turn it on.
Impersonation on unverified contacts
The sealed envelope doesn't authenticate the sender at the outer layer (the claimed ID is self-declared). Real authenticity comes from the inside — a libsignal message only decrypts under the correct session — plus the safety number. On a brand-new contact, verify the safety number.
A compromised device
Root malware or a keylogger defeats any messenger. We protect content, not a hostile OS.
Independent audit
Blink builds on audited primitives, but our own integration has not had a third-party audit. Android-only for now; the desktop build is parked.
Audit status
Honest status — no fake audit badges. Here's where independent review actually stands.
Independent audit
Blink builds on libsignal's audited primitives, but our own integration has not had a third-party audit. We don't claim otherwise.
Open source
The full source is public on GitHub under AGPL-3.0 — review the code, not just the marketing.
Bug bounty
Credit-based bounty, plus a paid audit when funding allows.
Vulnerability disclosure
Found something? Report it via a private GitHub Security Advisory on the Blink repository. We fix in the open and credit researchers who want it.
- · Coordinated disclosure — give us time to ship a fix
- · No legal action against good-faith research
- · Public notes for fixed issues
# Private GitHub Security Advisory:
$ gh repo view tralalananala-cloud/blink
Security → Advisories → “Report a vulnerability”
# Or open a minimal issue without exploit details.