[kbwt]

Then demand reproducible builds from software with security claims?

[tptacek]

Can I have serious cryptanalytic audits first? Because virtually nothing has that. At least I trust what Signal Protocol is trying to do!

[kbwt]

One does not preclude the other. For instance, the current Signal implementation is almost certainly prone to remote code execution.

How does the Signal project handle reports of potential vulnerabilities? I haven't seen any security contact information on the OpenWhisperSystems site.