The Subrosa client is open source, and is licensed under GPLv3. It's recommended to host and access the client locally.
The latest release is v0.20. (Download)
Note: Subrosa's servers pass the Content-Security-Policy headers which provide protection against any undiscovered XSS / code injection attacks. For the same level of security, your web server should pass the following header:
default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self' ws://yourhostname http://yourhostname
Contributions & bug reports
A better infrastructure will be set up soon, however reducing the possible attack vectors is a significant concern. For now, please email tocontact|at|subrosa.io - our PGP keyid is 4090401A.