Security

Audits

The last audit of the fully open source Serenity codebase (opens in a new tab) was performed in 2023-12 by Radically Open Security (opens in a new tab). All concerns have been addressed and the audit report will be available here in 2024-01.

The last audit of the our opaque (opens in a new tab) and react-native-opaque (opens in a new tab) libraries was performed in 2023-11 by 7ASecurity (opens in a new tab). All concerns have been addressed and the audit report will be available here in 2024-01.

End-to-end Encryption

The following content is encrypted and can only be decrypted by the intended recipient:

  • Page
  • Page title
  • Comment
  • Comment reply
  • Folder name
  • Workspace name
  • Workspace avatar

Key-rotation

This is where we are better than most other end-to-end encrypted services. In most other services the encryption keys are not changing when a member is removed from a list or a share link is revoked. This means that the removed member or someone who has access to the revoked share link can still decrypt the content if they get access to to the encrypted data.

In Serenity the encryption keys are rotated when a member is removed or a share link is revoked.

Meta data

While all the content is encrypted, the server and someone being able to monitor your network traffic can still see a lot of meta data e.g. the size of the encrypted content, the time you sent it, the time you retrieved new content, members of a workspace, your device list.

In addition email addresses are stored in plain text in the database.

Technical documentation

In case you are interested there is a detailed technical documentation (opens in a new tab) available that describes the protocols used and links to the relevant code.

Reporting a Vulnerability

If you discover a security vulnerability within this project, please send an e-mail to hi@serenity.re. All security vulnerabilities will be promptly addressed.