Press, the "break it" challenge & responsible disclosure

We built Helix to be battle-tested. We're not asking you to take our word for it — we're asking you to prove us wrong. This page is for the journalists who cover this industry and the researchers who keep it honest. Come look. Come break it.

1. The story

In 2026, "private" communication is mostly a marketing word. The apps a billion people call secure are tied to phone numbers, run on the clouds of advertising companies, leak metadata by the terabyte, and — as the Pegasus revelations made unforgettable — can be hollowed out at the endpoint by spyware that simply reads the screen. The encryption was never the weak point. The phone number was. The cloud backup was. The third party that could be subpoenaed was. The metadata was.

Helix is a deliberate answer to that reality: a closed, post-quantum communications system — messaging, voice, global video, encrypted files, disposable mail, a self-custody wallet and a private, zero-log VPN — built on its own protocols and its own decentralized network, with no third parties anywhere in the trust path. It runs on Windows, macOS, any Linux computer, iOS, Android and GrapheneOS, and ships, for those who want it, on a hardened GrapheneOS phone built to resist Pegasus-class spyware. There are no accounts, no email, no phone numbers. Payment is crypto, non-custodial. The company behind it holds nothing it could hand over, because there is nothing to hold.

It is built for the people for whom interception is not an inconvenience but a catastrophe: lawyers and legal teams protecting privilege, family offices and high-net-worth families whose conversations move money and attract predators, trading and investment firms whose deal flow is market-moving, journalists protecting sources, and the privacy-savvy who decided long ago that they would not wait to find out the hard way. That is the story: not another chat app, but an operational-security tool for a threat model the mass market pretends doesn't exist.

Why now? Because three curves crossed at once. Quantum progress turned "harvest now, decrypt later" from a theorist's footnote into an operational strategy: adversaries record encrypted traffic today on the bet they can read it within the decade, which means anything you send on classical crypto has an expiry date you don't control. Artificial intelligence collapsed the cost of mass analysis: it is now trivial to sift oceans of intercepted messages, voice and video for the few sentences that matter, so "they'd never bother reading mine" stopped being true. And the mercenary-spyware industry industrialized endpoint compromise, proving that strong encryption is irrelevant if the phone itself is owned. Any one of those would justify rethinking how private communication works. Together, in 2026, they make the comfortable defaults — a phone-number messenger, a cloud backup, a free VPN, a stock smartphone — look less like privacy and more like a paper trail waiting to be read. Helix is a bet that the answer is not a better single app, but a different architecture: closed, self-custodial, post-quantum, multi-platform, and accountable to no third party. Whether that bet is right is exactly the kind of question we want the press and the research community to interrogate.

2. Break it — prove us wrong

Here is the part most companies would never write. We think most "secure" products are sold on faith — a logo, a buzzword, a promise. We refuse to ask for faith. So we are issuing an open, standing challenge to the security community: break Helix.

We publish our cryptographic design openly in our white paper, because security that depends on hiding the mechanism is not security — it is theatre. Kerckhoffs's principle has been the foundation of serious cryptography for a century and a half: a system must remain secure even when everything about it except the keys is known. We hold ourselves to that standard in public. The handshake, the ratchet, the onion routing, the threat model, and — crucially — the honest limitations are all written down for anyone to attack on paper before they ever attack it in practice.

We say Helix is battle-tested because it was engineered, from the first line, to survive adversarial scrutiny: a hybrid post-quantum handshake that stays secure if any one of its three independent mechanisms holds; a double cipher cascade so a future weakness in one algorithm does not expose a single message; a self-healing ratchet that recovers from a transient compromise; metadata defenses that protect the social graph and not merely the words; a closed network with no inbound surface for a stranger to attack; and, for the device layer, the most hardened mobile platform available. But "engineered to survive" is a hypothesis until someone tries to falsify it. So try.

We would rather be proven wrong by a friendly researcher today than fail a journalist's source, a dissident, or a family tomorrow. If you find a flaw, you will not get a cease-and-desist from us — you will get our gratitude, our cooperation, and public credit if you want it. That is the opposite of how the surveillance industry behaves, and it is the entire point. See our responsible-disclosure policy for how to report, and what we commit to in return.

We don't claim to be unbreakable. We claim to be built to be broken honestly, in the open, before it matters — and we're inviting the people best equipped to try.

What counts as breaking it

So there's no ambiguity, here is what we consider a meaningful finding, roughly in order of severity. A critical result recovers message, call, or file plaintext without the endpoint's keys, forges authentication so one party can impersonate another, or breaks the post-quantum guarantees of the handshake. A high result deanonymizes sender and recipient to a single network vantage point that should not be able to link them, defeats the fail-closed tunnel so traffic leaks to the real connection, or escapes the closed-network model so an unauthorized party can reach a user. A medium result degrades forward secrecy or post-compromise security, weakens the at-rest sealing of the vault, or finds a metadata leak the design claims to prevent. We also want to hear about anything in the payment and licensing services, the website, and the supply chain of how builds reach users. "It uses cryptography I personally dislike" is not a finding; "here is a concrete attack and how to reproduce it" is. We will assess every report on its merits, tell you honestly how we rate it, and explain our reasoning either way.

Researchers who report valid issues are recognized publicly if they wish, credited in the revision of the affected document or release notes, and — for genuinely serious, novel findings — we are glad to discuss a reward. The recognition is real and the cooperation is unconditional; what we will not do is treat a good-faith researcher as a threat. That single difference, more than any feature, is how you can tell a serious security product from a marketing exercise.

3. Why this is newsworthy

For editors weighing whether there's a story here, the angles are concrete and, we think, genuinely novel in a crowded field:

• Consolidation. Almost every privacy tool does one thing — chat, or mail, or VPN, or a hardened phone. Helix folds messaging, calls, global video, files, mail, a self-custody wallet and a zero-log VPN into one closed product. The "replace four leaky subscriptions with one" story is real and under-told.
• Post-quantum, today. "Harvest now, decrypt later" is no longer hypothetical. A consumer-grade product shipping full post-quantum protection — not just a post-quantum handshake bolted onto classical messaging — is a story about where the whole industry has to go.
• The GrapheneOS / Pegasus angle. Mercenary spyware is built and tested against stock iOS and Android. The argument that the right hardened platform changes the economics of an attack — and that you can bring your own GrapheneOS device or buy one done — is a counter-narrative to the "nothing can stop Pegasus" fatalism.
• No accounts, crypto-only, non-custodial. A communications business that deliberately holds nothing — no user database, no payment trail it controls, no keys — is a structural answer to the subpoena-and-breach cycle, not a policy promise.
• Radical transparency. A published white paper, public comparison pages that name competitors honestly, a 3,800-word explainer of how Pegasus works, and an open "break it" challenge. Vendors in this space almost never invite scrutiny. We do.

We are happy to brief reporters on the technical design at any depth, walk through the threat model and its limits, and put researchers in front of the architecture. We will not, however, identify our users, our infrastructure, or anything that would put a customer at risk — and we'll explain exactly why, on the record.

4. Our transparency posture

Transparency and operational security are not in conflict if you draw the line in the right place. We publish everything that bears on whether the cryptography is sound — the design, the assumptions, the trade-offs — and we publish nothing that bears only on operational security, such as network addresses or the specifics of our anti-forensics. The first category invites review and makes us stronger; the second only helps an attacker and helps no honest reviewer.

That posture extends to honesty about limits. Our white paper has a "limitations" section because any security document without one is a sales brochure. We state plainly that a global passive adversary who can watch the entire internet at once can, in principle, attempt traffic confirmation; that no application can guarantee confidentiality on a device an attacker fully controls at the hardware level (which is exactly why we offer a hardened device and attack-surface reduction); and that self-custody means there is no recovery path for a lost key, by deliberate design. A vendor that won't tell you what it can't do should not be trusted about what it can.

5. The privacy press — who we invite

There is a community of journalists, researchers and labs who have done more to protect ordinary people than any vendor's marketing department ever will. They exposed Pegasus. They audit the apps. They hold this entire industry — ours included — accountable. We don't claim their endorsement; we extend an open invitation for them to put us to the test, and we will cooperate fully. If you write about privacy, security or surveillance, this is a standing offer to scrutinize Helix and report whatever you find.

Research labs & advocates

• Citizen Lab (University of Toronto) and Amnesty International Security Lab — the teams whose forensics exposed Pegasus.
• Electronic Frontier Foundation (EFF), Access Now, and the Freedom of the Press Foundation.

Outlets that cover this beat

• Wired, Ars Technica, The Verge, TechCrunch and 404 Media for technology and security reporting.
• The Record (Recorded Future), BleepingComputer, The Register, The Hacker News and CyberScoop for the security trade.
• Krebs on Security and Schneier on Security for independent analysis.
• The Intercept and The Guardian for surveillance and civil-liberties coverage.
• Privacy-focused communities and review sites such as Restore Privacy, PrivacyGuides and the broader self-hosted/opsec press.

To every name above: we are not asking for a favourable write-up. We are asking you to do exactly what you do best — test the claims, read the white paper, try to break the product, and tell your readers the truth. If we fall short, say so. If we hold up, that is a story too.

6. Press kit & facts

Everything a reporter needs to start is already public on this site, no gatekeeping:

• The white paper — architecture and threat model, released for peer review.
• How Pegasus works — a ~3,800-word technical explainer of the threat Helix is built against.
• The full feature list and honest comparison pages against Signal, WhatsApp, Telegram, Wickr and Pegasus.

Quick facts, on the record: Helix is a closed, post-quantum communications suite; it has no user accounts, no email and no phone numbers; it runs on Windows, macOS, Linux, iOS, Android and GrapheneOS; payment is crypto and non-custodial; pricing is fixed and published (Core, Operator and Sovereign tiers, plus an optional hardened phone); and the company holds no message content, no keys and no customer database. We are deliberately reticent about the people behind the project and the infrastructure that runs it, for the same reason our customers choose us — and we're glad to explain that reasoning to any reporter.

7. Press Q&A

The questions reporters ask us most, answered plainly and on the record.

"Isn't 'unhackable' just marketing?"

Yes — which is why we don't say it. We say Helix is built to be battle-tested and we publish the design so it can be challenged. Anyone who promises total immunity, especially against a hardware-level implant, is either misinformed or selling something. Our pitch is the opposite of a guarantee: it's an invitation to test, plus an honest account of what we can and cannot do.

"Who's behind it? Who funds it?"

We are deliberately reticent about the individuals and infrastructure, for the same reason our customers value us: the less that is public, the smaller the attack and pressure surface. This is a normal posture for tools used by people under threat, and we're happy to discuss the reasoning rather than dodge the question. What matters journalistically is verifiable from the outside: the design is published, the product is testable, and the company structurally holds nothing it could be forced to surrender.

"Isn't this just a tool for criminals?"

Strong privacy is a civil good, not a criminal one. The same properties that protect a drug cartel's chat also protect a journalist's source, a dissident's life, a lawyer's privilege, a board's deal, and a family's safety — and history shows the powerful surveil the latter groups far more often than they catch the former. Networks built and sold to crime, with custodial control and opaque operators, are the ones that got dismantled. Helix is the opposite: lawful-use, self-custody, peer-reviewable, with no operator who can read or move anything. We don't market to crime, and our architecture gives criminals no special favour that it doesn't give a human-rights lawyer.

"How is this different from the cryptophone networks that got busted?"

Those networks (EncroChat, Sky ECC, ANOM and others) were centralized, custodial, marketed to organized crime, and in at least one case run by law enforcement as a honeypot. Their users trusted an operator who turned out to be a single point of catastrophic failure. Helix removes the operator from the trust equation entirely: open design, self-custody keys, no servers holding content, no accounts. The lesson of those busts is exactly the lesson we built around.

"Can you hand my data to a government if compelled?"

We can hand over only what we have, and by design that is nothing of value: no message content, no keys, no user database, no payment ledger we control. A subpoena to us returns an empty box. That is a structural property, verifiable from the architecture, not a policy we could quietly change.

"Is it audited?"

The design is published for peer review now, and this challenge is part of inviting that scrutiny. We will not overstate the status of any review; when independent audits are completed, we will publish them — including anything unflattering. Until then, the honest framing is: open design, open challenge, claims you are encouraged to test rather than trust.

8. Responsible-disclosure policy

We welcome reports of security vulnerabilities and will treat the researchers who send them as allies, not adversaries.

In scope

The Helix applications, the cryptographic protocols described in our white paper, the network and relay design, the payment and licensing services, and this website. Findings that demonstrate a real weakening of confidentiality, integrity, authentication, metadata protection, or availability are exactly what we want to hear about.

How to report

Send a clear write-up — what you found, how to reproduce it, and the impact — through the in-app support channel (the most private way to reach us) or the contact method published in the app. Encrypt your report to us if you can. Please give us a reasonable window to remediate before publishing, and please do not access, modify or exfiltrate data that isn't yours, degrade service for real users, or test against anyone else's account or device.

What we commit to

• We will acknowledge a good-faith report promptly and keep you updated as we investigate and fix.
• We will not pursue legal action against researchers acting in good faith under this policy.
• We will credit you publicly for valid findings if you wish, and note the fix in the next revision of the relevant document.
• We will be honest with our users about issues that affected them, because trust earned by hiding problems isn't trust.

This is how a security product should behave: invite the scrutiny, fix what's found, credit the finder, tell the truth. If you can break Helix, you will make it — and everyone who relies on it — stronger. That is not a threat to us. It's the whole design.