X to open source XChat code after encryption concerns

Elon Musk-owned social platform X has announced that it will open source the code behind its in-app messaging feature, XChat, and subject it to rigorous security testing, following ongoing concerns about how message encryption and private keys are handled on the platform.

XChat, launched last year as an in-built messaging feature on X (formerly Twitter), initially supported text messaging for all users. Premium subscribers were additionally given the option to make audio and video calls without linking a phone number, positioning the feature as a lightweight alternative to traditional messaging apps.

However, cybersecurity researchers and privacy advocates raised questions about the platform’s end-to-end encryption claims, prompting Musk to promise greater transparency through open-sourcing the codebase.

In the next few months, we will be doing rigorous security tests of 𝕏 Chat and will open source all the code

— Elon Musk (@elonmusk) February 9, 2026

Encryption model drew scrutiny

XChat has been described by the company as offering end-to-end encryption. However, unlike some privacy-focused messaging platforms where private decryption keys are stored only on user devices, critics pointed out that XChat’s key handling model involves server-side storage elements.

Security experts have argued that when keys or key-related materials are accessible through central servers, lawful access orders or server breaches could potentially expose message data. This has led to comparisons with other messaging platforms that use stricter device-only key storage models.

These concerns triggered debate among users about the level of privacy offered by the platform’s messaging system and whether its encryption model meets the highest security standards.

Open source move to enable independent audits

In response, Musk said X will open source the XChat code and conduct extensive security testing. By making the source code public, the company will allow independent cybersecurity firms, researchers and developers to inspect how the messaging system works at a technical level.

Open sourcing enables third-party experts to audit encryption flows, key management systems, data handling practices and potential vulnerabilities. If flaws or weaknesses are found, they can be reported and fixed more quickly.

Technology analysts say this move can improve trust if the review process is transparent and if reported issues are addressed promptly.

Open-source review is widely used in security-sensitive software ecosystems because it distributes verification across a global expert community instead of limiting it to internal teams.

Bug bounty programmes already in place

Musk’s companies, including X and xAI, have been running bug bounty programmes through platforms such as HackerOne to encourage ethical hackers and researchers to report vulnerabilities responsibly.

Under these programmes, participants who identify and disclose verified security flaws can receive financial rewards based on severity. Reported payouts have ranged from about $7,500 (around ₹6.7 lakh) to $20,000 (around ₹18 lakh) for high-impact findings.

Such programmes are designed to crowdsource security testing and strengthen platform resilience against real-world attack methods.

Cybersecurity experts note that combining bug bounties with open-source code review can significantly widen the safety net for large digital platforms.

X’s broader tech ecosystem under lens

The security discussion around XChat comes at a time when Musk’s broader technology ecosystem — including AI products — has also faced regulatory and public scrutiny.

Recently, the Grok AI app developed by xAI drew criticism after users misused image-editing features to generate altered images of women without consent. Following warnings from authorities in multiple countries, including India, the company removed flagged content and restricted certain image-editing capabilities.

Digital policy observers say messaging security, AI safeguards and content controls are increasingly linked in public perception when platforms offer integrated communication and AI tools.

Competition in messaging features

XChat is part of X’s larger push to become an “everything app” combining social networking, payments, media and communications. Messaging, voice and video calling are key components of that strategy.

The messaging space is already dominated by established players offering encrypted communication, including apps focused strongly on privacy and secure architecture. By enhancing transparency and security validation, X appears to be positioning XChat as a more credible alternative.

Industry watchers say actual user trust will depend not just on open sourcing the code but also on how encryption architecture is implemented and independently verified.

Conclusion

By committing to open source XChat’s code and expanding security testing, X is attempting to address privacy and encryption concerns through transparency and community audit. The effectiveness of this step will depend on the depth of independent reviews and how quickly the company responds to identified vulnerabilities.