# Faction — we can’t read your messages.

[Faction Privacy First](/) [Open Faction](https://app.faction.chat) Security

# Responsible disclosure
Last updated: 2026-05-18

Faction welcomes security research. This page is the short version of the policy — the full severity matrix, scope, and load-bearing-file list lives on the [security page](/security).

## Where to send a report

Email [michael@faction.chat](mailto:michael@faction.chat). **Do not file a public GitHub issue for a security vulnerability.**

Want an encrypted intake before sending details? Email and ask. We will share a PGP key or a Signal contact out of band rather than publish one that goes stale.

## What to include

- A short description of the issue and its impact.
- Steps to reproduce or a proof-of-concept.
- The affected version or commit hash if you know it.
- Whether you've already shared the finding with anyone else.

## What you can expect from us

- 48 hours — acknowledgment of receipt.
- 30 days — fix target for critical findings (lower-severity issues move on longer timelines; we tell you the plan either way).
- 90 days — coordinated public disclosure after the fix lands.
- Credit on the security page once the finding is fixed and disclosure timing is agreed, if you want it.
- No legal action against good-faith research that follows the safe-harbor terms below.

## Safe harbor

If you are testing within the rules below, we will not pursue legal action:

- You only access accounts and data you own, or test data you created for the purpose.
- You do not exfiltrate, retain, or share user data beyond what's necessary to demonstrate the issue.
- You do not run denial-of-service attacks against production infrastructure. Local repro of a DoS is fine; pointing 10k clients at api.faction.chat is not.
- You do not attempt to phish, social-engineer, or otherwise pressure Faction staff or other users.
- You give us a reasonable window (the timeline above) before public disclosure.

## Out of scope

See the [security page](/security#scope) for the full list. In short:

- Third-party plugin code hosted on the plugin developer's own infrastructure.
- Issues that require physical device access and an unlocked session.
- "Plugin channels are not E2EE" — intentional, with a mandatory UI warning. See the whitepaper.
- "Webhook-posted messages are not E2EE" — same intentional design.
- Pure cryptanalysis of primitives we depend on (AES-256, ChaCha20-Poly1305, X25519, Ed25519, OPAQUE).
- Spam, abuse, or content-moderation requests — these go through the in-product report flow, not security intake.
Severity, scope, and the audit trail The full severity matrix (Critical / High / Medium / Low with examples), the in-scope service
list, and the verification pointers live on the [security page](/security).