The source code of Threema’s new desktop app is now publicly accessible. Consequently, the app is also covered by Threema’s bug bounty program. However, bounty hunters shouldn’t get too excited: the new desktop app has already undergone a thorough security audit, and it passed a recent bug bounty challenge.
All Threema Apps Are Now Open Source
Threema 2.0 for desktop is based on a completely new architecture, features a fully redesigned user interface, and offers multi-device support. Users of the iOS mobile app can already use the upcoming desktop app as a beta version and connect it to up to two computers. The apps on all connected devices will then stay in sync but can be used independently of one another.
Just like the first-generation desktop app and the mobile apps for Android and iOS, the new desktop app is now open source. Thus, external experts are able to examine the app’s security. Those who report security-related issues are eligible to rewards of up to CHF 10,000, depending on the severity.
Audit and Bug Bounty Challenge
Recently, the new desktop app was put through its paces during GOhack24’s Bug Bounty Challenge. However, the ethical hackers weren’t able to find any security issues.
Earlier this year, the app was already subjected to a systematic audit by Cure53. Again, the audit’s findings, which have been addressed right away, didn’t include any critical vulnerabilities. In their final report, the security researchers state:
[T]he testing team was quite impressed with the overall security standing of the components in scope. (p. 17)