Please DO NOT report security vulnerabilities through public GitHub issues.

Instead, use GitHub Security Advisories to report vulnerabilities privately.

• 48 hours: Acknowledgment of your report
• 5 business days: Initial assessment and severity classification
• Release notes: Contributors will be credited (optionally) in the release that addresses the vulnerability

• Authentication or authorization bypasses
• Data exposure or leakage
• XSS in the webview layer
• Injection vulnerabilities in Rust backend or FFmpeg commands
• Insecure data storage (SQLite, local files)
• Dependency vulnerabilities with known exploits

• Third-party services (GitHub, FFmpeg upstream)
• Social engineering attacks
• Denial of service attacks
• Issues requiring physical access to the device
• Vulnerabilities in development dependencies only

• Never commit secrets or credentials
• Keep dependencies updated
• Follow the principle of least privilege
• Validate and sanitize all user input, especially file paths passed to FFmpeg