Cryptocat Passes Security Audit With Flying Colors

Update (March 4, 2013): In collaboration with Veracode, we are now able to release a more detailed attestation of the audit results. Download PDF.


Cryptocat recently received the results of its second security audit, carried out by leading application security team Veracode.

We are very pleased to announce that, within the scope of their five-day audit, Veracode did not find any vulnerabilities or security flaws within the Cryptocat software, earning Cryptocat a Veracode Level 2 classification highlighted by a Security Quality Score of 100/100This is a landmark event for the Cryptocat Project, and great news as we progress towards real security.

Cryptocat was manually penetration tested for code security purposes using a 5-day timed-box test. With Veracode, we are taking steps to identify application vulnerabilities and remediate them so we comply with our internal security and risk management policies. Due to the nature of software security testing, we cannot guarantee this software is completely secure; however, through independent testing using Veracode we have utilized the most widely accepted and comprehensive methods available to secure this software.

It’s no secret that there was a lot of celebration here at Cryptocat over these results. Completely passing an audit with zero weaknesses or vulnerabilities is a rare event even for very high-profile software. This is perhaps Cryptocat’s greatest achievement yet.

Unfortunately, due to Veracode’s company policy, we are not allowed to release the full contents of the audit.