Please report suspected vulnerabilities privately through GitHub Security Advisories:
This routes the report directly to maintainers and is not publicly visible until coordinated disclosure. Do not open a regular GitHub issue for security reports.
Include as much detail as possible: affected version or commit, macOS version, reproduction steps, logs, impact, and any suggested mitigation.
In scope:
- Code execution vulnerabilities
- Privilege escalation
- Secret leakage, including transcript, history, config, or log exposure
- Accessibility permission abuse or unsafe synthetic input behavior
Out of scope:
- Issues requiring physical access to an unlocked Mac
- Social engineering
- Reports without a concrete security impact
We aim to acknowledge reports within 7 days and coordinate remediation before public disclosure. Unless otherwise agreed, vulnerabilities follow a 90-day responsible disclosure timeline from the initial private report.