Security Notes

A short, public overview of Stego-Lab’s security posture. It states what has been reviewed and where the honest limits are — without exposing sensitive implementation details. A more detailed internal audit exists and is kept private.

Eine kurze, öffentliche Übersicht über die Sicherheitslage von Stego-Lab: was geprüft wurde und wo die ehrlichen Grenzen liegen — ohne sensible Implementierungsdetails. Ein ausführlicheres internes Audit existiert und bleibt vertraulich.

Privacy posture · Datenschutzhaltung

• On-device only. Image processing, encoding, decoding, and metadata editing run locally. There is no cloud backend and no account.
• No tracking, no telemetry, no third-party calls. The website itself ships no analytics, no remote scripts, and no remote fonts; a Content Security Policy (script-src 'none', connect-src 'none') enforces this.
• App Store privacy label: Data Not Collected.

What was reviewed · Was geprüft wurde

Classes covered by the internal audit (no sensitive specifics published):

• Password handling and key derivation (the password-byte contract is frozen for backward compatibility).
• Image loading guards against malformed / oversized inputs.
• Temporary-file lifecycle and cleanup.
• Error messages reviewed for sensitive-data redaction.
• Legacy-format handling and read-only compatibility paths.

Known limits · Bekannte Grenzen

• Steganography is not invisibility. AES encrypts the payload content. The existence of a hidden channel can be statistically detectable (e.g. RS analysis, chi-squared tests). Use Stego-Lab for content confidentiality, not as proof that nothing is hidden.
• JPEG destroys hidden data. Lossy recompression (including social-media re-encoding on upload) wipes LSB payloads. Export and share invisible payloads as PNG or TIFF, never JPEG.
• Password strength is on you. A weak password weakens the AES protection regardless of the app.

Reporting · Meldung

Please report vulnerabilities privately — not in a public issue:

• Email: stego-lab@proton.me
• Policy: SECURITY.md
• RFC 9116: /.well-known/security.txt

Sicherheitslücken bitte vertraulich an stego-lab@proton.me melden — kein öffentliches GitLab-Issue.