| Version | Supported |
|---|---|
| 2.0.x | ✅ |
| < 2.0 | ❌ |
If you find a security vulnerability, please do not open a public issue.
Instead:
- Initial contact: Open an issue with title
Security: [brief description]and request private disclosure - Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if you have one)
We'll respond within 48 hours and work with you to understand and address the issue.
- Wraps Netflix's web player in an Electron window
- Stores settings locally in
~/.config/netflix-linux/ - Optionally sends crash reports to Sentry (user must opt-in)
- Optionally communicates with Discord for Rich Presence
- Collect user data without consent
- Store or transmit Netflix credentials
- Phone home without user knowledge
- Run third-party scripts
- This is a web wrapper - it's as secure as Netflix's web player
- DRM is handled by Widevine (same as Chrome/Firefox)
- No sandboxing between profiles (they share the same Electron process)
- Keep the app updated
- Only download from official releases
- Review the code if you're concerned (it's open source)
- Use different Linux users for true profile isolation
If we discover or are informed of a security issue:
- We'll fix it in the next release
- Credit the reporter (unless they prefer anonymity)
- Document it in the changelog
- Create a GitHub Security Advisory if severe
These are not security issues:
- Netflix login/account security (that's Netflix's responsibility)
- Issues with Netflix's DRM or content protection
- Discord API vulnerabilities
- Electron framework vulnerabilities (unless specific to our implementation)
Thanks for helping keep this project secure!