Security notices
This page lists security notices we’ve issued for the platform. We commit to publishing material security issues here when they affect user data or trust.
Recent fixes are also recorded in our release notes. If you believe you’ve found a security issue, please email us at security@tranznova.com.
Session revocation now applies to realtime events
What changed
Previously, when you used "Sign out of all devices" or revoked a session from your Settings, the revoked session could continue receiving realtime notifications, messages, and presence updates until the underlying token expired naturally — typically minutes to hours later, and up to several days in some cases.
This has been fixed. Revoking a session now immediately disconnects all realtime connections for that session.
Why it matters
If you revoked a session for a security reason — for example you suspected a device was compromised, or you left a session signed in on a public computer — the realtime channel on the revoked device may have continued receiving private events for the JWT’s remaining lifetime.
The affected events include new direct messages, profile-view notifications, RFQ replies, and admin notifications. No content the user wasn’t already authorized to see was leaked. The gap is that the revoked device kept receiving updates the user thought they had stopped.
What you should do
If you revoked sessions for security reasons in the past, you may wish to revoke them again. The previous revocation correctly prevented login and API access; this fix closes the realtime channel.
Affected features
Realtime notifications, direct messages, profile-view alerts, presence indicators.
Reference: Internal security audit — Batch 5 finding H1