| Version | Supported |
|---|---|
| Latest | ✅ |
| < 1.0 | ❌ |
Do not report security vulnerabilities through public GitHub issues.
Contact: YOUR_SECURITY_EMAIL
Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fixes (if any)
- Initial Response: Within 48 hours
- Assessment: Within 7 days
- Fix: Timeline depends on severity
- Disclosure: After fix is available
This app uses Tauri's security model:
- Permissions: Minimal system permissions via
capabilities/ - IPC: Type-safe commands via tauri-specta
- File Access: Scoped to app directories by default
- CSP: Configured in
index.html
// ✅ Validate paths - prevent traversal attacks
if filename.contains("..") {
return Err("Invalid filename".into());
}
// ❌ Never trust raw user input for paths
std::fs::write(user_input, data)- Never commit secrets to version control
- Use
.env.local(gitignored) for local secrets - Use GitHub Secrets for CI/CD
npm audit
cargo audit