Skip to content

Security: sudoaanish/loom

Security

SECURITY.md

Security Policy

Experimental Status

Loom is experimental software. It has not received an independent security audit, cryptographic review, penetration test, or formal protocol analysis.

Loom should not be used for high-risk, sensitive, regulated, or adversarial communications.

Supported Versions

No stable security-supported version exists yet.

The current development version is 0.1.x.

Version Security support
0.1.x No stable security support

Reporting Security Issues

Please do not file public issues for suspected vulnerabilities.

Contact the maintainer through:

No PGP key is currently published for this project.

When reporting an issue, include:

  • Affected version or commit.
  • Operating system and environment.
  • Steps to reproduce.
  • Expected and actual behavior.
  • Any proof of concept material that is safe to share privately.
  • Whether the issue may expose private keys, message contents, identity tokens, local network metadata, or persistent database contents.

Current Security Properties

The current implementation:

  • Generates a 32-byte local master seed.
  • Derives Ed25519 identity keys and X25519 static keys from the master seed.
  • Encodes public identity material into Loom tokens.
  • Validates Loom token prefix, payload length, version, base32 encoding, and checksum.
  • Signs handshake messages with Ed25519.
  • Derives shared session material from X25519 Diffie-Hellman outputs using HKDF-SHA256.
  • Encrypts chat payloads with ChaCha20-Poly1305 through a Double Ratchet-style session.
  • Signs encrypted chat envelopes with Ed25519.
  • Persists ratchet state per peer.

These are implementation observations, not security guarantees.

Known Limitations

The current implementation has several important limitations:

  • No independent security audit.
  • Custom cryptographic protocol and custom Double Ratchet-style implementation.
  • Local SQLite storage contains the master seed, ratchet state, contacts, and plaintext message history without application-level encryption.
  • Tauri Content Security Policy is disabled with "csp": null.
  • mDNS advertises local peer presence using a service name derived from the public identity key.
  • TCP frame length is accepted from the network and used to allocate a buffer without an explicit maximum in the current implementation.
  • No documented key verification ceremony beyond out-of-band token exchange.
  • No documented identity revocation, key rotation, or recovery model.
  • No documented database migration, backup, or secure deletion model.
  • No stable security-supported version or vulnerability response process.
  • The UI includes diagnostic console behavior and browser mock fallback behavior.
  • The frontend escapes message contents before rendering, but the full webview security posture still needs review.

Security-Sensitive Areas

Changes in these files affect security-sensitive behavior:

  • crates/loom-core/src/crypto.rs
  • crates/loom-core/src/protocol.rs
  • crates/loom-core/src/network.rs
  • crates/loom-core/src/storage.rs
  • crates/loom-core/src/token.rs
  • src-tauri/src/main.rs
  • src-tauri/tauri.conf.json
  • src/index.html
  • src/main.js

There aren't any published security advisories