Security Policy

Cryptographic Security

• Encryption: XChaCha20-Poly1305 (AEAD) via libsodium-wrappers-sumo
• Hashing: BLAKE3 (256-bit) - ZKIM standard hash algorithm
• Key Exchange: X25519 (Curve25519) for key derivation
• Digital Signatures: Ed25519 for authentication and message integrity
• Key Generation: libsodium secure random number generation
• No Web Crypto API: All cryptographic operations use libsodium/@noble/hashes exclusively

Zero-Knowledge Architecture

• Client-Side Encryption: All encryption happens on user devices before transmission
• No Plaintext Storage: Zero plaintext data stored on servers or in storage
• Metadata Minimization: Minimal metadata collection required for message delivery
• Searchable Encryption: ZKIM File Format supports encrypted search without decryption

Network Security

• P2P Communication: Direct WebRTC connections between peers
• Bootstrap Nodes: peer0.zk.im, peer1.zk.im, peer2.zk.im, peer3.zk.im (4 global regions)
• DHT Discovery: Kademlia DHT for decentralized peer discovery
• Perfect Forward Secrecy: Ephemeral keys for each message session
• No Central Servers: Fully decentralized architecture with no single point of failure

Storage Security

• ZKIM CAS: Content-Addressable Storage with BLAKE3 hashing
• Encrypted at Rest: All stored data encrypted before persistence
• SecureStorage: User-specific encryption for localStorage data
• Deduplication: FastCDC chunking with 95%+ deduplication efficiency

Reporting Process

1. Email security@zk.im with detailed vulnerability description
2. Include steps to reproduce, potential impact, and suggested fix (if available)
3. Wait for acknowledgment (within 48 hours)
4. Allow reasonable time for fix before public disclosure
5. We will credit you in our security acknowledgments (if desired)

Response Timeline

• Initial Response: Within 48 hours
• Status Update: Within 7 days
• Resolution: Depends on severity
  • Critical: 24-48 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

Scope

This policy applies to:

• zk.im main website (zk.im)
• Bootstrap nodes (peer0-3.zk.im)
• ZKIM P2P network infrastructure
• ZKIM CAS storage systems
• ZKIM File Format implementations
• All ZKIM infrastructure services

Out of Scope

• Third-party services and dependencies
• Issues requiring physical access to infrastructure
• Social engineering attacks
• Denial of service attacks (unless they reveal security vulnerabilities)
• Spam or phishing attempts

Key Management

• Never share your private keys or recovery phrases
• Use hardware wallets for high-value accounts
• Enable device binding for additional security
• Use strong, unique passwords for wallet access
• Regularly back up your recovery information securely

Message Security

• Verify recipient wallet addresses before sending sensitive messages
• Use end-to-end encrypted channels for all communications
• Be cautious of phishing attempts and verify message sources
• Don't share sensitive information in unencrypted channels

Device Security

• Keep your operating system and browser updated
• Use antivirus and anti-malware software
• Avoid using public or untrusted networks for sensitive operations
• Enable two-factor authentication where available
• Lock your devices when not in use

Security Standards

• OWASP Top 10 protection
• NIST Cybersecurity Framework alignment
• GDPR compliance (privacy-first architecture)
• Zero-knowledge architecture principles

Infrastructure Security

• Automatic DDoS protection at infrastructure level
• Network-level security controls with minimal port exposure (443, 22)
• Nginx rate limiting (10 req/s per IP)
• Application-level rate limiting
• IP blocking for malicious activity
• SSL/TLS 1.2+ with strong cipher suites