On Sunday, Block CEO and Twitter co-founder Jack Dorsey launched an open source chat app called Bitchat, promising to deliver “secure” and “private” messaging without a centralized infrastructure.

The app relies on Bluetooth and end-to-end encryption, unlike traditional messaging apps that rely on the internet. By being decentralized, Bitchat has potential for being a secure app in high-risk environments where the internet is monitored or inaccessible. According to Dorsey’s white paper detailing the app’s protocols and privacy mechanisms, Bitchat’s system design “prioritizes” security.

But the claims that the app is secure, however, are already facing scrutiny by security researchers, given that the app and its code have not been reviewed or tested for security issues at all — by Dorsey’s own admission.

Since launching, Dorsey has added a warning to Bitchat’s GitHub page: “This software has not received external security review and may contain vulnerabilities and does not necessarily meet its stated security goals. Do not use it for production use, and do not rely on its security wh

Radocea wrote that Bitchat has a “brokeOn Monday, Radocea filed a ticket on the GitHub project to ask how to report the security flaw he discovered in the Bitchat Favorites system. Soon after, Dorsey marked it as “completed,” without comment. (Dorsey reopened the ticket on Wednesday, saying security issues can be reported by posting on GitHub directly.)

Another person reported concerns with Dorsey’s claims that Bitchat has “forward secrecy,” a cryptographic technique that ensures that even if an attacker steals or compromises an encryption key, that attacker still cannot decrypt previously sent messages.

Someone also pointed out a potential buffer overflow bug, which is a common type of security vulnerability where a hacker can force a device’s memory to spill out to other locations, opening the door for a data compromise.

Radocea warned that Bitchat users should not trust the app yet.

“Security is a great feature to have for going viral. But a basic sanity check, like, do the identity keys actually do any cryptography, would be a very obvious thing to test when building something like this,” Radocea told TechCrunch. “There are people out there that would take the messaging around security literally and could rely on it for their safety, so the project in its current state could endanger them.”

Referring to his and other people’s findings, Radocea criticized Dorsey’s warning that Bitchat has not been tested for security.

“I’d argue it has received external security review, and it’s not looking good,” he said.