Security
We'd rather show our work than ask for blind trust. Here's where things actually stand.
Security review status: Not independently audited
SecretPNG is in beta. It has not had an independent third-party security audit. We will not describe it as audited until a real audit report exists, and we will link that report here when it does.
What has been done
- The cryptography uses standard, widely reviewed constructions (AES-256-GCM, PBKDF2, the STREAM chunking scheme) via the browser's Web Crypto API — we did not invent any cryptographic primitives.
- The container format is documented and covered by known-answer, tamper, truncation, reordering, and duplication tests.
- The secure workspace is isolated from advertising and analytics by layout, a strict Content Security Policy, and network tests.
- Secret links are stored as ciphertext only; the decryption key never reaches our server.
What has not been done
- No independent security audit or penetration test.
- No formal verification of the implementation.
- Hosted delivery means you trust the JavaScript we serve at the moment you load a page. The offline app reduces this to a one-time trust decision. See the threat model.
Read the details
Cryptography
Algorithms, key derivation, randomness, and default parameters.
Container format
The versioned, documented .svault file format.
Threat model
Threats in and out of scope, mitigations, and residual risk.
Network transparency
Exactly what each route sends over the network.
Responsible disclosure
How to report a vulnerability safely.
Found a problem? See responsible disclosure or email security@secretpng.com.