Cyph’s source code is 100% public. Our openly accessible GitHub repository includes all client and server code, with the layer that handles releasing Cyph as a native app available here.
This transparency is critical to the trust and security of the service, because it ensures that independent security researchers are able to review it freely, and notify the public in the event that a critical vulnerability or intentional backdoor is discovered.
In the future, we’ll also add an automated way for third parties to independently build our public source code and verify that it corresponds to the the live production package. (You could actually do this right now without too much trouble, but the steps aren’t documented and wouldn’t be particularly user-friendly.)
Portions of Cyph are fully open source under permissive licenses such as BSD and MIT. That being said, the full Cyph application doesn’t comply with the OSI’s Open Source Definition. In addition to the patents, our source code is licensed under our custom Cyph-RSL license, a slightly more permissive fork of the read-only Ms-RSL; this means that third parties can’t fork and modify our code or deploy their own instances of Cyph without our permission. We believe that this is a fair compromise to allow us to develop Cyph as a commercially viable startup without ignoring a necessary aspect of its security.