Somp is alpha desktop software (Tauri + React). We take credible security reports seriously, especially around local data, API keys, and the embedded YouTube Music WebView.
| Version | Supported |
|---|---|
| 0.3.x (alpha) | ✅ current line |
| 0.2.x (alpha) | ✅ best-effort fixes only |
| < 0.2 | ❌ |
Install from GitHub Releases only. Do not commit vault.enc, .env, or API keys to git.
- Local secrets vault (
vault.enc/ keyring) — encryption, path handling, exposure via IPC - Tauri command / capability gaps (unauthorized invoke, webview ACL)
- Remote code execution via Laboratory import, presets, or chat attachments
- Privacy leaks (unexpected network exfiltration of chat history, presets, or tokens)
- Bypassing YouTube / YouTube Music ads, Premium, or Terms — Somp must not add ad-block or stream-rip tooling (compliance)
- Vulnerabilities in music.youtube.com or Google’s infrastructure
- Issues that require malware or physical access to an already-compromised PC
- Preferred: GitHub Security Advisories (private report).
- Or email: greorgory@gmail.com with subject
Somp security.
Include: version/build, OS, steps to reproduce, impact, and any PoC (minimal is fine).
Please do not open public issues for undisclosed exploit details.
| When | Action |
|---|---|
| 72 h | Acknowledgement (business days) |
| 14 days | Triage + severity (best effort for alpha) |
| Fix | Patch on main, release tag when ready; credit in advisory if you want |
We may decline reports for out-of-scope items or third-party services (Ollama, Groq, Gemini, Google).
We appreciate coordinated disclosure. Do not test against other users’ accounts or production Google APIs beyond your own.