Security posture

Security is product work, not a checkbox.

This page explains how Shmery protects account-backed identity, updates, remote assets and self-hosted voice during beta.

Responsible reporting

If you find a security issue, e-mail [email protected]. Include the affected version, the minimum reproduction, whether it touches desktop, backend, voice-server or web, and whether real user data could be affected.

Do not publish exploit details before we have had a reasonable chance to investigate and patch. Do not access, modify, delete or exfiltrate data that is not yours.

Updates

Desktop update packages are verified before install with hashes and signatures. Runtime packages also carry an expected size so the updater can reject oversized downloads.

Voice-server update manifests include hash/signature metadata. Server operators should keep auto-update enabled so compatibility and security fixes are applied quickly.

Accounts

Account passwords are hashed. Password reset tokens are not stored as plain text. Account sessions are bound to device identity and can be revoked from account security settings.

Shmery supports e-mail based two-factor confirmation for account and admin flows. The admin panel additionally requires an admin PIN and uses a short trusted-device window to avoid excessive repeated codes.

Voice transport

Voice packets use authenticated encryption per session with replay protection and source pinning. Voice servers are self-hosted, so server operators still need basic VPS security, firewall hygiene, updates and backups.

Shmery does not currently claim end-to-end encryption for all communication. Direct-message E2EE may be added later, but the current beta should be treated as server-mediated communication.

Remote assets

Avatar and profile rendering is limited to local cached assets and trusted Shmery asset hosts. This avoids letting arbitrary voice servers force desktop clients to fetch images from private networks.

Self-hosted servers

Self-hosted voice servers store their own channel state, text-channel history, moderation data and logs. Operators are responsible for OS updates, firewall rules, database backups and access to their machines.

Registered-only access, license checks and server aliases rely on Shmery account infrastructure when enabled.

Current limits

  • Web account portal sessions are still planned to move to HttpOnly cookies in a future hardening pass.
  • The server installer source bundle should receive an additional offline signature verification layer before long-term stable release.
  • More automated UI smoke tests are planned for multi-server desktop behavior and account deletion flows.