KeyPath is under active development. Security fixes are applied to the latest release on the default branch.
Do not open public GitHub issues for security vulnerabilities.
Use one of the private channels below:
- GitHub Security Advisory (preferred): https://github.com/malpern/KeyPath/security/advisories/new
- Email fallback: malpern@gmail.com
Please include:
- A clear description of the issue
- Reproduction steps or proof-of-concept
- Impact assessment
- Environment details (macOS version, KeyPath version, install mode)
- Initial acknowledgement: within 5 business days
- Triage and severity assessment: as quickly as possible after acknowledgement
- Coordinated disclosure timeline: shared after triage
- Report is received privately.
- Maintainers validate and scope the issue.
- Fix is prepared and tested.
- New release is published.
- Advisory and credits are published when safe.
KeyPath includes privileged helper and LaunchDaemon flows. Reports involving:
- privilege escalation
- unauthorized key capture/injection
- signing/notarization bypass
- unsafe service lifecycle behavior
are treated as high priority.