Security fixes are prioritized for the latest development branch and the latest tagged release.
Please do not open a public GitHub issue for security-sensitive bugs.
Preferred disclosure order:
- Use GitHub Security Advisories if the public repository has them enabled.
- If advisories are not enabled yet, contact the maintainer privately before public disclosure.
When reporting a vulnerability, include:
- affected version or commit
- clear reproduction steps
- expected impact
- suggested mitigation, if known
Security reports are especially helpful for:
- command execution and process spawning
- local file access and path handling
- transcript import and storage flows
- Electron preload or IPC boundaries
- packaged desktop behavior
- provider fallback and outbound request handling
The goal is coordinated disclosure with a fix or mitigation ready before details are shared publicly.