If you discover a security vulnerability in Reflection, please report it privately. Do not open a public issue, pull request, or discussion.
Use GitHub's private security advisory to submit your report.
Include the following details:
- Description of the vulnerability
- Steps to reproduce
- Affected versions
- Any potential mitigations you are aware of
- Acknowledgment — Within 3 business days of your report
- Assessment — We will evaluate severity and impact, and keep you updated on progress
- Fix & Disclosure — Once a fix is ready, we will coordinate disclosure with you before releasing publicly
Reflection is a local desktop application that mirrors iPad screens over USB. Security concerns most relevant to this project include:
- Unauthorized access to the camera/video feed
- Privilege escalation through entitlements
- Unexpected network activity or data exfiltration
Please do not publicly disclose the vulnerability until a fix has been released. We are committed to addressing security issues promptly and will credit reporters in the release notes (unless you prefer to remain anonymous).