Encrypted bytes only by default
The current backend validates and stores ciphertext bytes only in the
default path. It does not store raw media keys or decrypt uploaded chunks.
Reporting and current security posture
Security
Use private reporting paths for security issues. Keep secrets, tokens, keys, private deployment details, and user safety data out of public reports.
Experimental · Not an emergency service
Proofline is experimental and does not contact emergency services. Read the safety boundaries.
Admin routes stay separate
The server separates the main API/viewer listener from private admin
routes and surfaces. Token-gated viewer routes are read-only.
Report privately
Do not report security vulnerabilities through public GitHub issues. Use
each repository security policy and private vulnerability reporting path.
No decryption workflow
Backend decryption, browser decryption, trusted-contact decryption, raw
server-held media keys, key escrow, and break-glass access are not current
behavior.
Do not publish
- Raw incident tokens, viewer tokens, session tokens, or CSRF tokens.
- Request bodies, Authorization headers, uploaded bytes, or plaintext.
- Raw keys, raw media keys, contact private keys, or wrapped-key ciphertext.
- Private deployment details, object-store credentials, object keys, or user safety data.
- Exploit material, proof-of-concept details, or private logs in public issues.
- Configuration files containing real secrets or private endpoint details.
Sources
These project documents provide more detail about the current implementation, planned work, and security limits.