Security fixes are applied to the latest published Localframe release.

Localframe is a demonstration app for iOS 26 and Apple's on-device Image Playground framework. It is not production-ready, and older demo builds are not maintained.

Please do not disclose vulnerabilities in a public issue or pull request.

Use GitHub's private vulnerability reporting for this repository from the Security tab by choosing Report a vulnerability. Include the affected version, steps to reproduce, impact, and any suggested fix.

If Report a vulnerability is not visible, private vulnerability reporting has not been enabled yet. Open a public issue asking for a private contact channel without including vulnerability details.

When reporting a vulnerability, do not include private prompts, credentials, personal data, or sensitive screenshots unless they are strictly required to explain the issue. Redact anything that is not needed to reproduce the problem.

Please use private vulnerability reporting for issues such as:

• Unintended network access, data transmission, or telemetry
• Exposure of prompts, generated images, device data, or local files
• Inclusion of credentials, signing assets, private keys, generated app bundles, or local system files
• A privacy issue that conflicts with Localframe's fully on-device and offline design
• A build or project configuration issue that could expose sensitive data

General app bugs, image quality issues, inaccurate generated images, unsupported devices, unavailable Image Playground features, and UI problems can be reported with the public bug report template unless they expose private data or create a security risk.