Security & Vulnerability Disclosure

What FrogTalk is, and how we build it

FrogTalk is a censorship-free chat platform where messages can stay private. No company sits in the middle; anyone can run a node; DMs are end-to-end encrypted so the server can't read them even if it's seized. That's the point of the project.

We're also building it in public with a development process we're openly experimenting with — the future of how small teams ship software with AI in the loop. We call our flow the deslop pipeline:

💡 Idea → 🤖 AI slop (first draft) → 🧹 Deslop (human review) → 🚀 Ship

The first draft of most code is AI-generated. A human reviewer then deslops it: tightens the security, kills dead code, fixes lying comments, and actually exercises the change before it merges. Code is not considered done until it has been deslopped. The full checklist lives in CONTRIBUTING.md.

We're honest about this because users deserve to know the threat model. The encryption primitives are standard (ECDH-P256 → SHA-256 → AES-GCM-256, fresh 96-bit IV per message) but the surrounding plumbing is still being deslopped. Don't expect bank-grade security or privacy yet — especially in DMs. Help us get there.

Threat model: we assume the server can be compromised. DM bodies are end-to-end encrypted, keys never touch the server, recovery keys are 256-bit tokens stored as SHA-256 hashes only. If you find a way around that — please report it loudly.

How you can help (any of these are huge):

🐛 File a bug or vulnerability report via the form below — anonymous is fine.
🔎 Audit a file and open a slop sighting for code that looks AI-written and obviously wrong.
🧹 Send a deslop PR — pick an issue tagged deslop-needed and tighten it. Vibe-coded PRs are welcome too; just label them.
📣 Run a node and join the federation. More nodes = more censorship-resistance.
💬 Tell other people the project exists. Community projects only work with a community.

What counts as a vulnerability

High-impact: account takeover, E2EE bypass, message tampering, server-side RCE, SQL injection, auth bypass.
Medium-impact: stored or reflected XSS, CSRF on state-changing endpoints, privilege escalation, IDOR, sensitive info leaks.
Lower-impact: rate-limit bypass, denial-of-service through unbounded inputs, info disclosure of non-sensitive data.
Not in scope: "you can DM yourself spam from your own account", missing security headers without a working exploit, automated scanner output without a PoC, social engineering of other users.

Report a vulnerability

Use the form below. You can submit anonymously — we don't require an account — but including a contact (email, Matrix, GitHub handle, or a FrogTalk nickname) lets us ask follow-up questions and credit you when it's fixed.

For critical issues you'd rather not put in a web form, email security@frogtalk.xyz with as much detail as you can.

Please don't test exploits against the live production server beyond what's needed to confirm the bug. For destructive PoCs (mass-account creation, DoS), spin up a local instance — docker compose up from the repo gets you a full stack in about a minute.

Even better: send a patch

FrogTalk is MIT-licensed and lives on GitHub. If you can write the fix, we'd much rather review a PR than relitigate the bug in an issue tracker.

Our pipeline is honest: Idea → AI slop → Deslop (human review) → Ship. Most code starts as an AI draft; a human reviewer then tightens the security, fixes the dead code, and makes sure it doesn't break anything else before it merges. Read the full process & deslop checklist →

Repo: github.com/deadinternetfox/frogtalk
Branch from main, keep PRs small and focused, write a clear commit message.
Vibe-coded PRs welcome — just label them vibe-coded so the deslop team knows what they're walking into. We'll review and tighten together.
Touched JS? Run node --check static/js/<file>.js before pushing — silent parse errors break every onclick on the page.
Touched Python? Run python -m py_compile on the changed files; the FastAPI app imports the whole tree at startup.
Security fixes: include a PoC in the PR description (or link to the bug-report ID you filed here) so the reviewer can verify the patch closes the hole.
Credit: add yourself to CONTRIBUTORS.md in the same PR, or tell us where to credit you in the security advisory.

Community projects are up to all of us. Every reviewed PR, every triaged report, every responsible disclosure makes the platform safer for the next person who logs in. We notice, and we say thank you.

Hall of fame

Security researchers who've responsibly disclosed issues. Want to be on this list? See above.

You? — be the first.