StayUp ships a root LaunchDaemon (app.getstayup.helper) that runs pmset disablesleep on behalf of the menu-bar app over a Unix socket at /var/run/app.getstayup.helper.sock. The daemon's plist and binary live inside the app bundle (Contents/Library/LaunchDaemons/

• Contents/MacOS/) and register via Apple's SMAppService API, which requires the daemon and the parent app to share a Developer ID team and validates the signature on every load. There is no sudo installer.

If you find a way to abuse that path — privilege escalation, unsigned binary substitution, socket spoofing, anything — please tell me.

Don't open a public issue. Email instead:

security@getstayup.app (routes to the maintainer)

Or use GitHub's private vulnerability reporting on the repo if you'd rather use the GitHub UI.

I'll acknowledge within a few days. Note this is a single-dev side project — no SLA, but I take this kind of thing seriously and will fix and ship a notarized release as fast as I can.

• Anyone with admin/root on your Mac is already trusted. If an attacker can already run sudo, they can install whatever daemon they want; this isn't a StayUp problem.
• Apple sandbox bypasses. StayUp deliberately runs unsandboxed (direct distribution, not Mac App Store) because battery + closed-lid coverage uses CGVirtualDisplay (private API) and a root daemon — both forbidden in App Store sandbox.
• The CGVirtualDisplay private API. Apple may break it in a future macOS release. Not a security issue; an availability one.
• Third-party menu-bar shells / tooling that introspect StayUp's status item. Out of scope.

For completeness — StayUp does not call this a "security feature" but it's relevant context:

• No network calls during normal operation. Two exceptions:
  • Opening getstayup.app/tip in the user's browser when they click "🍞 Feed the duck" in Settings → About.
  • Sparkle update checks against getstayup.app/appcast.xml — opt-in only (Settings → Updates → "Automatically check for updates", or the second-launch Sparkle prompt). Update payloads are EdDSA-signed so a compromised CDN can't ship a backdoored DMG.
• No telemetry, no analytics, no crash reporting, no accounts.
• Accelerometer data is sampled locally only when StayUp is engaged, used for the walking duck animation, and discarded after each sample. It never leaves the device.
• UserDefaults under app.getstayup stores user prefs locally (skin choice, Don't Die threshold, Resume on Launch flag, last walk count). Never transmitted.