Skip to content
Security

We tell you exactly what we protect — and what we don't.

Security theater is a liability. Below is the real cryptographic stack, an honest threat model, and the policy for reporting what we missed.

Cryptographic stack

Key agreementX3DH + PQXDH (post-quantum)
Message ratchetDouble Ratchet (libsignal)
Post-quantumKyber / ML-KEM
AEADChaCha20-Poly1305
SignaturesEd25519 / Curve25519
TransportWSS relay (Cloudflare) · sealed sender
Local storageEncrypted SQLite · ChaCha20-Poly1305
RandomnessOS CSPRNG
IdentityDID:key (on-device)

Threat model

In scope

Passive network adversary

E2EE + TLS transport. Sniffing yields only sealed ciphertext.

In scope

Active MITM

Key verification via QR / safety numbers. Key-change alerts in human language.

In scope

Device theft

SQLite with per-message encrypted content (ChaCha20-Poly1305; full-file SQLCipher planned) + biometric/app lock. Optional per-chat passwords and auto-wipe.

In scope

Key compromise

Forward secrecy + post-compromise security via the Double Ratchet; post-quantum key exchange (PQXDH).

Out of scope

Full metadata anonymity

The relay can see your IP, timing and volume (sealed sender hides who sent a message, not the network path). Tor transport is planned, not shipped.

Out of scope

Being tracked by radio, if you enable Bluetooth

While the nearby-Bluetooth transport is on, your phone advertises a stable identifier derived from your ID. It reveals neither your identity nor any message content, but someone physically near you with a BLE scanner could correlate the same phone appearing over time and place. Rotating that identifier is on the roadmap; until then the transport stays off unless you turn it on.

Out of scope

Impersonation on unverified contacts

The sealed envelope doesn't authenticate the sender at the outer layer (the claimed ID is self-declared). Real authenticity comes from the inside — a libsignal message only decrypts under the correct session — plus the safety number. On a brand-new contact, verify the safety number.

Out of scope

A compromised device

Root malware or a keylogger defeats any messenger. We protect content, not a hostile OS.

Out of scope

Independent audit

Blink builds on audited primitives, but our own integration has not had a third-party audit. Android-only for now; the desktop build is parked.

Audit status

Honest status — no fake audit badges. Here's where independent review actually stands.

Not yet

Independent audit

Blink builds on libsignal's audited primitives, but our own integration has not had a third-party audit. We don't claim otherwise.

Live

Open source

The full source is public on GitHub under AGPL-3.0 — review the code, not just the marketing.

Planned

Bug bounty

Credit-based bounty, plus a paid audit when funding allows.

Vulnerability disclosure

Found something? Report it via a private GitHub Security Advisory on the Blink repository. We fix in the open and credit researchers who want it.

  • · Coordinated disclosure — give us time to ship a fix
  • · No legal action against good-faith research
  • · Public notes for fixed issues
report-a-vuln.sh
# Private GitHub Security Advisory:
$ gh repo view tralalananala-cloud/blink
  Security → Advisories → “Report a vulnerability”

# Or open a minimal issue without exploit details.