Do NOT open a public GitHub issue for security vulnerabilities.

M4TR1X is used by journalists, activists, and people in high-risk environments. A public disclosure before a patch is ready could put real users in danger.

Preferred — GitHub Private Security Advisory: Use GitHub's built-in private reporting: Report a vulnerability

Alternative — Nostr encrypted DM (NIP-44): Send an encrypted DM to the maintainer's npub (see profile). Use a burner Nostr key if you need anonymity.

Alternative — Email: security [at] h8group [dot] net (PGP key available on request via Nostr DM)

• Description of the vulnerability and its impact
• Steps to reproduce (proof of concept if possible)
• Affected version(s) and platform (Windows / macOS / Linux)
• Your assessment of severity (see matrix below)
• Whether you want credit in the release notes (or prefer anonymity)

We follow coordinated disclosure. If you give us a reasonable timeline and we miss it, you are free to publish.

• main.js — Electron main process, IPC handlers, CSP configuration
• preload.js — contextBridge surface, IPC exposure
• server/ — Express API, authentication, H8 identity/token logic
• frontend/ — XSS, injection, insecure data handling in the renderer
• server/h8identity.js — key management, encryption/decryption
• server/h8token.js — ledger integrity, transaction signing
• Tor proxy bypass or traffic leakage
• ONNX model integrity (supply-chain attack on the model file)

• Vulnerabilities in Nostr relays, PeerTube instances, or Mastodon servers (report to them directly)
• Physical device seizure (documented in threat model)
• Attacks requiring the user to already have an unlocked session and physical access
• Denial of service against the local API (it's local — the user controls it)
• Issues in outdated or end-of-life versions

M4TR1X is built for the worst-case scenario: a user in an authoritarian country, on a surveilled network, whose device may be inspected.

No central server. Everything runs locally. There is no M4TR1X cloud that can be seized, subpoenaed, or compelled to hand over data.

Tor-first networking. If Tor Browser (port 9150) or the tor daemon (port 9050) is running at launch, M4TR1X automatically routes all outbound traffic through SOCKS5. No manual configuration required. Bundled bridges (obfs4, Snowflake, meek-azure) are pre-configured for censored networks.

Post-quantum identity (ML-DSA65 / CRYSTALS-Dilithium). Every H8 identity uses NIST FIPS-204 key pairs. The secret key is encrypted at rest with AES-256-GCM + scrypt N=131072 and never leaves the device. In-session keys live in memory only and are wiped on app close.

End-to-end encrypted DMs. Direct messages use Nostr NIP-44 (ChaCha20-Poly1305 + ECDH secp256k1). No relay can read them.

Metadata scrubbing. Every video passes through ExifTool before analysis or publishing to strip GPS coordinates, device identifiers, timestamps, and other identifying metadata.

Electron hardening:

• contextIsolation: true — renderer process cannot access Node.js APIs
• nodeIntegration: false — no Node.js in the frontend
• sandbox: true — Chromium sandbox enforced
• webSecurity: true — same-origin policy enforced
• CSP via onHeadersReceived — blocks XSS and inline script injection
• setWindowOpenHandler — all external links open in the system browser, never in-app
• Navigation to external URLs is intercepted and blocked

Admin API protection. Admin endpoints are protected by localhostOnly middleware + ADMIN_KEY secret. They are never exposed on the network interface.

• Network surveillance and traffic analysis (via Tor)
• Metadata-based device fingerprinting (via ExifTool)
• Content injection and XSS (via CSP + context isolation)
• Future quantum computer attacks on identity (via ML-DSA65)
• Centralized censorship and deplatforming (via Nostr/PeerTube/Funkwhale federation)
• AI-generated disinformation (via ONNX detection + crowd voting)

• Device seizure. If your device is confiscated with an unlocked session, keys in memory may be accessible. Lock the app (wallet lock button) before any risky situation.
• Screen recording or physical observation of the device.
• A compromised Nostr relay selectively censoring content. Use multiple relays and verify content signatures.
• A compromised build pipeline. Verify release checksums (see below) to confirm binaries match the published source.
• Malware on the host system with elevated privileges.

Every release is built by GitHub Actions from the public source code. The workflow file is at .github/workflows/build.yml — you can inspect it to verify no modification happens between source and binary.

SHA-256 checksums are published with every release.

# Linux
sha256sum --check checksums-linux.txt

# macOS
shasum -a 256 --check checksums-mac.txt

# Windows (PowerShell)
Get-FileHash m4tr1x-setup.exe -Algorithm SHA256

Compare the output against the checksums listed in the GitHub Release notes.

"In the age of synthetic reality, authenticity is the new resistance."