Security reports need a private path. Please do not open a public GitHub issue for vulnerabilities, exposed secrets, auth bypasses, signing problems, or privacy-impacting bugs.
- Credential, token, keystore, certificate, or signing leaks.
- Authentication or authorization bypasses.
- Remote code execution, injection, deserialization, or supply-chain issues.
- Local data exposure, privacy leaks, unsafe logging, or missing redaction.
- Unsafe model, tool, plugin, file, network, or background automation behavior.
- Vulnerabilities in release, CI, or artifact publishing workflows.
Use GitHub's private vulnerability reporting if it is enabled for this repository. If it is not enabled, open a minimal public issue asking maintainers to enable a private security contact path, but do not include exploit details.
Include:
- Affected commit, release, package, or platform.
- Steps to reproduce.
- Impact and likely severity.
- Whether the issue is already public.
- Any safe workaround you know.
Maintainers should:
- Acknowledge valid reports as soon as practical.
- Avoid asking reporters to disclose sensitive details publicly.
- Coordinate fixes before public disclosure when possible.
- Credit reporters when they want credit and it is safe to do so.
This project is still evolving quickly. Security fixes target the latest main
branch and the latest published release unless maintainers document a longer
support window for a release line.
Before opening a PR, confirm the diff does not include:
app/android/key.properties- keystore files
- private certificates
- API keys or access tokens
- production logs
- personal user data
- unredacted model, tool, or network traces