Security fixes are applied to the latest published Localight release.

Localight is a demonstration app for iOS 26 and Apple's on-device Foundation Models. It is not production-ready, and older demo builds are not maintained.

Please do not disclose vulnerabilities in a public issue or pull request.

Use GitHub's private vulnerability reporting for this repository from the Security tab by choosing Report a vulnerability. Include the affected version, steps to reproduce, impact, and any suggested fix.

If Report a vulnerability is not visible, private vulnerability reporting has not been enabled yet. Open a public issue asking for a private contact channel without including vulnerability details.

When reporting a vulnerability, do not include private prompts, credentials, personal data, or sensitive screenshots unless they are strictly required to explain the issue. Redact anything that is not needed to reproduce the problem.

Please use private vulnerability reporting for issues such as:

• Unintended network access, data transmission, or telemetry
• Exposure of prompts, generated responses, device data, or local files
• Inclusion of credentials, signing assets, private keys, generated app bundles, or local system files
• A privacy issue that conflicts with Localight's fully on-device and offline design
• A build or project configuration issue that could expose sensitive data

General app bugs, model quality issues, inaccurate responses, unsupported devices, unavailable Foundation Models, and UI problems can be reported with the public bug report template unless they expose private data or create a security risk.