If you discover a security vulnerability in UIPin, please do not file a public issue.
Instead, email [DreamNight] with details. You should receive a response within 48 hours.
| Version | Supported |
|---|---|
| 1.x | ✅ |
UIPin is a local-only Electron desktop application. Key security properties:
- No network services — MCP server binds to
127.0.0.1only, not accessible from remote - Context isolation — Renderer processes use
contextIsolation: truewithsandbox: true - No node integration — Renderer has
nodeIntegration: false - CSP enforced — Content-Security-Policy restricts script and image sources
- Preload API frozen —
Object.freeze()prevents post-load tampering
- Describe the vulnerability with as much detail as possible
- Include steps to reproduce
- If possible, suggest a fix