Warrant Canary

Last Updated: 2026-04-01

As of 2026-04-01, the following statements are true:

  1. VuLabs Inc has not received a National Security Letter (NSL).
  2. VuLabs Inc has not received a FISA court order.
  3. VuLabs Inc has not received a gag order under any jurisdiction.
  4. No government has asked VuLabs Inc to insert a backdoor, weaken our cryptography, or hand over user data.
  5. We have not been asked to retain logs that we do not currently retain, or to begin retaining logs we previously did not.
  6. No third party has gained administrative access to the VuAppStore production infrastructure.

Update schedule

This statement is re-issued on the first day of every calendar quarter:

  • Q1 — January 1
  • Q2 — April 1
  • Q3 — July 1
  • Q4 — October 1

If a canary update is more than two weeks late, or if any of the statements above are quietly altered or removed, treat that as a signal. Under U.S. law as we understand it, the government cannot compel us to make affirmatively false statements; it can only compel us to remain silent. If a future canary uses different language or omits one of the statements above, that is the signal.

Cryptographic anchor

The statement above is published with a detached PGP signature and a recent Bitcoin block hash, used as proof of post-dating.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

VuAppStore / VuLabs Inc warrant canary, 2026-04-01.
All six statements at /warrant-canary are true on this date.
Bitcoin block reference: [REQUIRES_PUBLISH_TIME_BLOCK_HASH]

-----BEGIN PGP SIGNATURE-----
[REQUIRES_PUBLISH_TIME_SIGNATURE]
-----END PGP SIGNATURE-----

You can verify the signature with the maintainer public key. The fingerprint is:

[REQUIRES_CONFIRMATION: PGP fingerprint not yet published]

Once published, the key will be available on keys.openpgp.org and keyserver.ubuntu.com.

Previous canaries

Every prior canary version is preserved in git history at github.com/vuappstore/vuappstore. You can audit the full chain of statements there.

A canary is a hedge against compelled silence, not a guarantee. Treat it as one signal among many. The strongest guarantee remains the architecture: we cannot disclose what we cannot read. See /privacy for the architectural details.

Questions?

If you have any questions about this warrant canary, please contact us at:

[email protected]