We release patches for security vulnerabilities. Which versions are eligible for receiving such patches depends on the CVSS v3.0 Rating:
| Version | Supported |
|---|---|
| 0.1.x | ✅ |
Please report (suspected) security vulnerabilities to john@bondstudios.us. You will receive a response within 48 hours. If the issue is confirmed, we will release a patch as soon as possible depending on complexity but historically within a few days.
This project interacts with:
- macOS system permissions: Requires Accessibility and Microphone permissions
- Local LLM endpoints: Communicates with local AI services
- AppleScript: Executes system commands to control windows
- Microphone input: Processes audio data locally
When using this software:
- Review presets.json: Ensure preset configurations don't contain sensitive information
- Local LLM only: The project is designed to work with local LLM endpoints. If you modify it to use cloud services, ensure proper authentication
- Permissions: Only grant necessary macOS permissions (Accessibility, Microphone)
- Network: If using a network-accessible LLM endpoint, ensure it's on a trusted network or properly secured
- Code review: Review any custom modifications before running
- The project uses AppleScript which has broad system access when granted Accessibility permissions
- Microphone access is required for voice input
- No built-in authentication for LLM endpoints (assumes local/trusted network)
When we receive a security bug report, we will assign it to a primary handler. This person will coordinate the fix and release process, involving the following steps:
- Confirm the problem and determine the affected versions
- Audit code to find any similar problems
- Prepare fixes for all releases still under maintenance
- Publish a security advisory and release patches
We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.