If you find a security issue in Sodalite, please do not open a public GitHub issue.

Instead, email superuser404@tuta.com with:

• A short description of the issue
• Reproduction steps if you have them
• The version (Settings → bottom of the screen) and tvOS version

I'll respond as quickly as possible. For confirmed issues a fix typically lands within a few days, faster if it's exploitable in the wild.

In scope:

• The Sodalite app code in this repository
• Anything that could leak credentials, tokens, or local files
• Crashes or undefined behaviour reachable from a malicious server response
• The accompanying AetherEngine media engine

Out of scope:

• Vulnerabilities in Jellyfin itself: report to the Jellyfin project
• Vulnerabilities in Seerr / Jellyseerr: report to that project
• Issues in FFmpeg or upstream codec libraries: report to those projects
• Configuration mistakes on your own server (e.g. exposing Jellyfin without TLS)

• Acknowledgement within 72 hours
• Disclosure timeline coordinated with you, typically 30 days from fix release before public details
• Credit in the release notes if you'd like (or anonymous if you prefer)

This is a hobby project maintained by one person. I can't pay bug bounties, and turnaround on lower-severity issues may be slower than you'd see at a funded project. Critical issues (RCE, credential exfiltration) are always top priority.

Thanks for helping keep Sodalite safe.