Do not open a public GitHub issue for security bugs.
Use GitHub's private vulnerability reporting on this repository: Security → Report a vulnerability. That gives us a private channel to triage and patch before disclosure.
If you can't use GitHub's reporting flow, contact the maintainers via the email listed on the repository's GitHub profile.
When you report, please include:
- A description of the issue and the impact you observed
- Steps to reproduce, ideally with a minimal proof of concept
- Affected version (commit SHA or release tag)
- Your environment (OS, Node version)
We aim to acknowledge reports within 5 business days and to ship a fix or a mitigation plan within 30 days for high-severity issues. We'll credit you in the release notes unless you ask us not to.
In scope:
- Code execution, privilege escalation, sandbox escape, or unauthorized data access in the desktop app.
- Issues in the agent loop or tool handlers that allow the LLM to take actions outside its declared tools.
- Vulnerabilities in the build/sign/publish pipeline that could let an attacker ship a malicious update.
Out of scope:
- Issues that require physical access to an unlocked machine.
- Social-engineering attacks that depend on the user manually overriding the app's confirmations.
- Best-practice nits without a concrete impact.
We patch the latest release. Older versions get security fixes only when they are still in active distribution.