Community Security Audit Identifies and Patches Three Vulnerabilities

A coordinated community security audit conducted during November and December 2025 identified three security vulnerabilities in the platform's codebase. All three have been patched and responsibly disclosed, with full technical details now published for community review on Dread.

The first vulnerability, rated low severity, involved a session token entropy issue that reduced the theoretical randomness of generated session identifiers under specific server load conditions. While not practically exploitable given the platform's architecture, it represented a deviation from best practices. The fix implements a hardware random number generator as the entropy source for all session token generation.

The second vulnerability, rated medium severity, was a cross-site request forgery (CSRF) protection bypass that could allow a malicious .onion site to make authenticated requests on behalf of a logged-in user under specific circumstances. The fix strengthens the CSRF token validation logic and adds additional same-origin verification steps.

The third finding, also rated medium severity, involved the session management system failing to properly invalidate all active sessions when a user changed their password. All three issues are now fully patched. The platform has committed to conducting similar community audits on a semi-annual basis going forward.