We take security seriously. If you discover a security vulnerability in QuantHide, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email: resch.jonas@pm.me (or open a private security advisory on GitHub)

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution: Depends on severity (critical: ASAP, high: 30 days, medium: 90 days)

The following are in scope:

• Cryptographic weaknesses in Kyber1024, ChaCha20-Poly1305, or Argon2id implementations
• Steganographic detection vulnerabilities
• Data leakage through metadata or side channels
• Authentication bypasses
• Memory safety issues in Rust code
• XSS/injection in the frontend

• Social engineering attacks
• Physical attacks requiring device access
• Denial of service (the app is local-only)
• Vulnerabilities in dependencies (report upstream)

Password → Argon2id (64MB, 16 iterations) → Kyber1024 → ChaCha20-Poly1305

QuantHide protects against:

1. Advanced ML steganalysis: Sophisticated models may detect the presence of hidden data (but not decrypt it)
2. Lossy compression: JPEG re-compression destroys hidden data
3. No forward secrecy: Same password = same key derivation
4. Local security: No protection if device is compromised

All cryptographic implementations are from audited Rust crates:

• pqcrypto-kyber - Post-quantum cryptography
• chacha20poly1305 - RustCrypto project
• argon2 - RustCrypto project

We thank the following for responsible disclosures:

No vulnerabilities reported yet.

Thank you for helping keep QuantHide secure! 🔐