Security fixes are issued against main.

Please report vulnerabilities privately through one of these channels:

1. GitHub Security Advisories https://github.com/odei-ai/odei-app/security/advisories/new
2. Email security@odei.ai

Include:

• affected component or file
• reproduction steps
• impact assessment
• suggested mitigation if available

Reports are especially useful for issues involving:

• Electron privilege boundaries, IPC, or local process orchestration
• authentication, session handling, or wallet/account linking
• secret exposure in source, docs, or build artifacts
• deployment misconfiguration in public-facing surfaces
• injection, traversal, or unsafe file/system access

Out of scope:

• purely theoretical issues without a plausible exploit path
• third-party library vulnerabilities with no repository-specific impact
• social engineering and physical access scenarios

• Initial acknowledgement target: within 3 business days
• Triage and severity assessment: as quickly as practical
• Coordinated disclosure: after remediation or mitigation is available

• Never commit live credentials or local-only machine paths as canonical setup
• Prefer placeholder configuration in docs and examples
• Review auth, storage, deployment, and IPC changes with extra scrutiny
• Add or update tests when security-sensitive behavior changes

• Repository Security Notes
• Issue Tracker