Exactly. Them trying to cover it just makes it worse...

Yup, there's no need for FUD. I just look at network activity.

    Zappl is open source you can contribute to the Github or leave bug reports on utopian.

That's highly debatable when there have been only small commits since November, 2017. My bug report was created by utopian, twice for some reason, then closed with no explanation and no related commits.

#### Reply:
There was significant updates to the project just 18 days ago. So its pretty open source. All one needs to do is just download the source and they can run it in dev mode and set up some pm2 starts for mongod and index.js but npm start dev would be easier to do.

The website will work the same way it does on the web, The only difference is they won't be able to upload videos and images, they will need to add those keys for them self.

https://github.com/Zappl/Zappl/commit/f83e3130b005008317e73748da82b08fb01c0204

<hr>

To me, it seems like the Zappl front-end was put on GitHub so it would qualify for utopian's rules. But it hasn't been maintained.

    No Zappl don't save keys, your keys are saved in your browser or mobile device not on our servers.

Maybe this is true, but it's beside the point. It's possible that Zappl signs in-browser, but it also sends the keys to the server. Since the keys are sent to the server, it's entirely possible that they're logging keys without knowing it.

    Even if Zappl was capturing keys for the public key (Which were not because they're saved in your browser)were only limited to those uses above.

This is where we get into a real problem. Certain parts of Zappl does ask for the active key and does send the active key to the server. My GitHub Issue shows this.

#### Reply:
Yes were aware active keys transactions, we have had several talks about this on discord before. The review was closed because its in an up and coming update. We tend to do bulk updates with our code.  As one can see from our latest updates from January 

We first update in a private rep then those updates are moved over to the main open rep. As a company we have plugins for our code thats are trade secret plugins. 

For some things zappl wants a competitive edge, but we still leave the code that connects these features open to the public. So if they would want to make plugins with these features they can do so their self and see how this is interacting with the code.


Were not trying to hide anything just sometimes we happen to close things with out commenting on them. Which honestly we probably shouldn't have been doing. If you look at the tickets we have closed tickets with out commenting, but the fix had still been put in.

So we will try to update users of fixes before we close tickets now.

they take 15% of rewards (compared to dtube/dsound/dmania's 25% that's low I guess)

![](https://steemitimages.com/DQmTFBCxdovvpLPpWCujEYnNqnq7gizvEi5v5cfhWQ2okeQ/image.png)

They probably take a beneficiary like many other platforms, not sure how much

They do not believe it yet. And With time, they will believe.

## Zappl just has to keep giving trust to users, that's all. And Never make mistakes.

Seems you don't save keys, but if they so happen to be leaked in logs, the fix for that will take weeks?

I am not impressed by how you handled this and will advise everyone to change their keys if they used zappl. 

Should you have the fix live at some point, please comment on the github issue.

Oke sir zappl thank you