Thank you for helping keep Ebb secure.
Ebb is a privacy-first menstrual cycle tracker designed so that sensitive reproductive health data remains private and protected.
Because this project handles extremely sensitive health data, security and responsible disclosure are critically important.
We recommend using the latest version of Ebb.
| Version | Supported |
|---|---|
| Latest | ✅ Yes |
| Older releases | |
| Deprecated versions | ❌ No |
Security updates are applied to the most recent stable version.
If you discover a security vulnerability in Ebb, please report it responsibly and privately.
Do NOT create a public GitHub issue for security vulnerabilities.
Instead, please contact us directly.
Email:
Please include the following information:
• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested mitigation (if known)
• Proof-of-concept (if available)
This helps us assess and resolve the issue faster.
We ask security researchers to follow these guidelines:
• Allow reasonable time for fixes before public disclosure
• Do not exploit vulnerabilities for malicious purposes
• Do not access or modify data belonging to other users
• Do not perform denial-of-service attacks
• Respect user privacy at all times
We greatly appreciate responsible disclosure that helps protect users.
Our typical response process:
| Step | Expected Time |
|---|---|
| Initial response | 48 hours |
| Investigation | 3-7 days |
| Fix development | 7-14 days |
| Public advisory | After patch release |
Complex vulnerabilities may require additional time.
Ebb was designed with a privacy-first architecture.
Key principles:
• No centralized server storage
• Local encrypted data only
• Zero-knowledge design
• No analytics or tracking
• No third-party SDKs
Because the application does not store user data on servers, many traditional data breach risks are eliminated.
Ebb uses modern browser cryptography APIs.
Security design includes:
• AES-256 encryption
• PBKDF2 key derivation
• WebCrypto API implementation
• Client-side encryption before storage
All encryption occurs locally on the user's device.
No keys are transmitted to external servers.
The following components are considered in scope for security reports:
• Client-side encryption implementation
• Local data storage mechanisms
• Data privacy protections
• Service worker and offline functionality
• User interface data exposure risks
Out-of-scope issues may include:
• Browser vulnerabilities
• Operating system vulnerabilities
• Issues in unrelated third-party software
The primary security goals of Ebb are:
- Protect reproductive health data
- Prevent unauthorized data access
- Ensure transparency through open source
- Minimize attack surface by avoiding servers
- Provide verifiable privacy guarantees
We appreciate the work of independent security researchers who help strengthen the safety of open-source software.
Responsible disclosure helps ensure that Ebb remains a trusted privacy-first health application.
Security inquiries:
General project inquiries: