AuroraWhisp
RU EN
Security

Technical details for skeptics

If "everything is local" does not convince you — here is the long version with specifics. And what is NOT secure on our side — too.

Short version

  • Voice is processed on your computer and never leaves it. Open Wireshark — empty.
  • No accounts. Email is needed only for Pro activation, tied to the key — used nowhere else.
  • The exe is not signed with an Authenticode certificate. That is everything we lack.

Network activity — three exceptions

AuroraWhisp reaches the internet only in three cases: (1) first download of an additional language model, if you opt in — a default model is already inside the .exe; (2) update check (can be disabled); (3) one-off licence activation when Pro is first installed — afterwards everything works offline. No analytics pings, no heartbeat requests. Open Wireshark, block the firewall — the app keeps working.

Which models are used and where to verify them

Sherpa Zipformer English (85 MB, ~150 ms) — github.com/k2-fsa/sherpa-onnx. Whisper Tiny / Base / Small / Medium / Large-v3 — openai/whisper, ctranslate2-converted. Distil-Whisper Large-v3 (EN only). All models are open: download the originals, compute SHA-256, compare with what's inside AuroraWhisp.

What lives in %APPDATA%\AuroraWhisp\

settings.json — your settings (hotkey, language, widget size). history.db — SQLite with dictation history (can be disabled or wiped at any time). analytics.jsonl — local UX statistics, never uploaded. license.json — Pro key with RSA signature (if activated). No audio is saved. All files are yours; disk-level encryption (BitLocker/VeraCrypt) recommended but your call.

Licence activation — RSA, offline-first

A Pro key is a file with our server’s RSA signature. On first activation the app makes one HTTP request, gets the signature, saves it to license.json. After that, validation is local via the public key — no internet needed. Re-binding to a new device — via your account on the website (3 devices simultaneously per key).

Binary signing

The exe is not signed with an Authenticode certificate, so on first launch Windows may show a SmartScreen "unknown publisher" warning. Click "More info → Run anyway". We plan to buy the certificate when it makes sense.

Single-instance + one process

The app prevents accidental double-launch — you’ll see a notice and the existing process comes to the front. One process = one control point. No background services, no autostart unless you explicitly enable "Start with Windows" in settings.

Open source?

The program itself is closed. The models we use (Whisper, Zipformer, Distil-Whisper) are open. Download originals from HuggingFace, verify SHA-256, confirm we are not shipping our own backdoored variants. External audit of the program — not done yet; we do not have budget for paid pentest.

What is stored in our server DB

On first Pro activation we create one DB record: licence key, buyer's email (so we can re-issue if lost), device hardware_id (a SHA-256 hash of hardware identifiers, not the hardware itself), device name, activation and last-seen dates. Nothing more. No IP addresses, no geolocation, no user-agent. The DB is backed up daily with 30-day rotation. Server access is restricted to admin only.

Bug bounty

Found a vulnerability — write to security@aurorawhisp.com with reproduction steps. Reply within 24 hours. For real findings we pay: low-severity (cosmetic, no exploit) — $50; medium (metadata leak, limit bypass) — $150; high (licence or DB compromise) — $500; critical (RCE, voice-data leak) — $1,000+. Bug bounty is informal for now.

What is NOT secure on our side right now (honest self-assessment)

The exe is not signed with an Authenticode certificate — Windows shows SmartScreen on first launch. No external pentest yet — only our own security review. Open source — only the models we use, the program itself is closed (so you cannot read our code). Licence activation requires one HTTP request to our server — theoretically if the server is breached, future activations could be compromised (although already-issued keys remain valid because verification is local via RSA signature). We say it openly.