Security

How to report

If you've found a vulnerability or security issue in any Dowser Labs product, please email security@dowserlabs.com. Encrypt sensitive details with our PGP key (below) when possible.

We aim to acknowledge receipt within 72 hours, and we will keep you informed as we triage and address the report.

The same address is published in our security.txt per RFC 9116.

Scope

In scope

• SourceNote Mobile (Android)
• SourceNote Desktop (Linux, macOS, Windows)
• This website (dowserlabs.com)

Out of scope

• Third-party applications inspected by SourceNote (Signal, WhatsApp, etc.)
• The user's network infrastructure (router, ISP, VPN provider)
• Vulnerabilities in dependencies that have not been disclosed upstream — please report those to the upstream project first.

Safe harbor

Dowser Labs welcomes good-faith security research. If you make a good-faith effort to comply with this policy during your research, we will:

• Not pursue or support legal action against you for your research.
• Work with you to understand and resolve the issue quickly.
• Publicly acknowledge your contribution if you wish.

In return, please:

• Do not access, modify, or delete user data beyond what is necessary to demonstrate the issue.
• Do not disrupt our services or the experience of other users.
• Give us a reasonable window to address the issue before public disclosure (we suggest 90 days, longer if necessary).

PGP key

Public key for security@dowserlabs.com:

Fingerprint: 0E4F D2CA E801 3A21 E2BF 732E FD59 94DC 79CF CE65

Download: security@dowserlabs.com.asc