Please do not open public GitHub issues for security-sensitive problems.
Report vulnerabilities privately with:
- a clear description of the issue
- affected files, endpoints, or flows
- reproduction steps or proof of concept
- expected impact
Until a dedicated private reporting channel is added, use the contact links listed in README.md and clearly label the message as a security report.
Security-relevant issues may include:
- unsafe handling of personal or session data
- prompt injection or unsafe tool behavior
- exposed local services or unintended remote access
- unsafe file handling or command execution paths
- weaknesses in report export, TTS, or sync endpoints
Please allow reasonable time for triage and remediation before public disclosure.