Security policy

Thanks for taking the time to help keep Loom and its users safe.

Supported versions

Loom is a small project and only the latest released version receives security fixes. Older versions are not patched.

Version	Supported
latest	✅
< latest	❌

If you are running an older version, please update before reporting — the issue may already be fixed.

Please do not open a public GitHub issue for security reports. Public issues are crawled and may put users at risk before a fix is available.

Instead, use GitHub's private vulnerability reporting:

GitHub will notify the maintainer privately and we can coordinate from there.

A useful report typically contains:

A clear description of the issue and the impact you believe it has.
Steps to reproduce, including OS and Loom version.
A proof of concept if you have one (a code snippet, a crafted config file, a screenshot, etc.).
Any suggested mitigation, if you have one in mind.

You don't need to have all of this — partial reports are still useful. Send what you have.

Acknowledgement — within 7 days of receiving the report.
Initial assessment — within 14 days, including whether it qualifies as a vulnerability and a rough severity estimate.
Fix and disclosure — timeline depends on severity and complexity. We aim to ship a patched release before the issue is publicly disclosed.

You will be credited in the release notes and the security advisory unless you ask to remain anonymous.

In scope:

The Loom desktop app (frontend and Tauri backend).
The release build pipeline (.github/workflows/release.yml) where it produces user-facing artifacts.
The install.sh installer script.
The Homebrew tap formula at kespineira/homebrew-tap.

Out of scope:

Vulnerabilities in OpenCode itself — please report those upstream.
Vulnerabilities in third-party dependencies, unless Loom is using them in an insecure way. (We still want to know — please link to the upstream advisory.)
Issues that require an attacker to already have full local access to a user's machine and config files.