Security and privacy are core principles of Batiyoun. We're building a platform where users can communicate with confidence, knowing their data is protected by industry-standard encryption and security practices.
We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.
DO:
- β Email security reports to: kushkumar.officialsoftwaredev@gmail.com
- β Include detailed steps to reproduce the vulnerability
- β Provide your assessment of the impact and severity
- β Give us reasonable time to fix the issue before public disclosure
DON'T:
- β Open a public GitHub issue for security vulnerabilities
- β Exploit the vulnerability beyond proof-of-concept
- β Access or modify other users' data
- β Publicly disclose the vulnerability before we've patched it
- Title: Brief description of the vulnerability
- Description: Detailed explanation of the issue
- Steps to Reproduce: Clear, step-by-step instructions
- Impact: What an attacker could do
- Affected Components: Client, server, database, etc.
- Suggested Fix: If you have ideas (optional)
- Your Contact: How we can reach you for follow-up
- 24 hours: Initial acknowledgment of your report
- 72 hours: Assessment and severity classification
- 7-30 days: Patch development and testing (depending on severity)
- After fix: Public disclosure (with credit to you, if desired)
We'll publicly recognize security researchers who responsibly disclose vulnerabilities:
No reports yet - you could be first!
- β Password Hashing: bcrypt with salt (cost factor: 10)
- β HTTP-Only Cookies: Prevent XSS attacks
- β Secure Cookies: HTTPS-only in production
- β Session Expiry: 7-day TTL with automatic renewal
- β OAuth 2.0: Google authentication support
- β Input Validation: Zod schemas on all endpoints
- β
Rate Limiting: Prevent brute force and DDoS
- Login: 5 attempts per 15 minutes
- OTP: 3 requests per hour
- API: 100 requests per minute
- β CSRF Protection: Built into Next.js
- β CORS: Restricted to allowed origins
- β Prepared Statements: SQL injection prevention (Prisma)
- β Connection Pooling: Secure connection management
- β Environment Variables: No hardcoded credentials
- β Encrypted Connections: TLS for all database traffic
- β HTTPS/TLS 1.3: All traffic encrypted in transit
- β WSS: Secure WebSocket connections
- β Content Security Policy (CSP): XSS mitigation
- β HSTS: Force HTTPS connections
- π§ Algorithm: AES-256-GCM (symmetric encryption)
- π§ Key Exchange: ECDH (Elliptic Curve Diffie-Hellman)
- π§ Key Generation: Web Crypto API (client-side)
- π§ Zero-Knowledge: Server never sees plaintext messages
- π§ Forward Secrecy: New keys for each session
E2EE Flow:
1. User A generates ECDH key pair on client
2. User B generates ECDH key pair on client
3. Both exchange public keys via server
4. Both compute shared secret independently
5. Messages encrypted with shared secret
6. Server only sees encrypted data
- π Key Rotation: Automatic periodic key changes
- π Verified Devices: Prevent MITM attacks
- π Safety Numbers: Cross-verify encryption keys
- π Disappearing Messages: Auto-delete after time
- π Screenshot Protection: Android/iOS specific
- π 2FA/MFA: Two-factor authentication
-
Use a Strong Password
- At least 12 characters
- Mix of uppercase, lowercase, numbers, symbols
- Unique to Batiyoun (don't reuse passwords)
- Consider using a password manager
-
Enable Two-Factor Authentication (coming soon)
- Adds an extra layer of security
- Required for password recovery
-
Verify Your Email
- Ensures account recovery options
- Prevents unauthorized access
-
Keep Your Device Secure
- Lock screen with PIN/biometrics
- Keep OS and browser updated
- Don't root/jailbreak your device
-
Be Cautious of Phishing
- We'll never ask for your password via email
- Always check the URL:
batiyoun.vercel.app - Be suspicious of unsolicited login links
-
Think Before You Send
- Once sent, you can't unsend (yet)
- Assume messages could be screenshot
-
Verify Who You're Talking To
- Check usernames carefully
- Use safety numbers (coming soon)
-
Manage Your Data
- Regularly clear old conversations
- Use disappearing messages (coming soon)
-
Report Suspicious Activity
- Contact us if you notice unusual account activity
- Report abusive users
- β Security-First Design: Security considered from day one
- β Code Reviews: All code reviewed before merging
- β Dependency Scanning: Automated vulnerability checks
- β Static Analysis: ESLint security rules
- β Type Safety: TypeScript for compile-time checks
- β Least Privilege: Services only get necessary permissions
- β Secrets Management: Environment variables, no hardcoded secrets
- β Regular Updates: Dependencies kept up-to-date
- β Monitoring: Error tracking and anomaly detection
- β Backups: Regular automated backups (database)
- π Regular Security Audits (Planned)
- π Penetration Testing (Planned)
- π GDPR Compliance (For EU users)
- π Data Retention Policies
- π Transparency Reports (Planned)
- HTTPS: TLS 1.3 with modern cipher suites
- WebSocket: WSS (WebSocket Secure)
Message Encryption:
Algorithm: AES-256-GCM
Key Size: 256 bits
IV Size: 96 bits (12 bytes)
Tag Size: 128 bits (16 bytes)
Key Exchange:
Algorithm: ECDH (Elliptic Curve Diffie-Hellman)
Curve: Curve25519 (X25519)
Key Size: 256 bits
Key Derivation:
Algorithm: HKDF (HMAC-based KDF)
Hash: SHA-256
Salt: Random 256-bit value
- User Profile: Email, username, display name, avatar URL
- Authentication: Hashed password, OAuth provider ID
- Messages: Encrypted content, metadata, timestamps
- Sessions: Active login sessions (7-day TTL)
- Logs: Error logs, access logs (30-day retention)
- β Plaintext passwords
- β Message decryption keys (when E2EE is live)
- β Deleted messages (after deletion)
- β Private keys (client-side only)
Users can request data deletion:
- Account deletion deletes all user data within 30 days
- Message deletion is immediate
- Backups are purged after 90 days
In case of a security breach:
- Detection: Monitoring systems alert our team
- Assessment: Evaluate scope and severity
- Containment: Isolate affected systems
- Notification: Inform affected users within 72 hours
- Remediation: Patch vulnerabilities
- Review: Post-mortem analysis
- Disclosure: Public incident report
- π Security Issues: kushkumar.officialsoftwaredev@gmail.com
- π Bug Reports: GitHub Issues
- π¬ General Questions: GitHub Discussions
- OWASP Top 10
- Web Crypto API
- Signal Protocol (Inspiration for our E2EE)
Last Updated: February 13, 2026
Thank you for helping keep Batiyoun secure! π