Please do not open public issues for security vulnerabilities.

Use GitHub's private vulnerability reporting to submit a report. You can also email security@openwhispr.com.

We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.

The following are in scope:

• Remote code execution via crafted audio files or transcription output
• Privilege escalation through native binaries (key listeners, paste helpers)
• Credential exposure (API keys, OAuth tokens, database credentials)
• Cross-site scripting (XSS) in the Electron renderer
• Insecure IPC between main and renderer processes
• Supply chain attacks via dependencies or native compilation

Out of scope:

• Issues requiring physical access to an already-unlocked machine
• Denial of service against the local application
• Social engineering

• Local-first audio processing — Audio is transcribed on-device using whisper.cpp or nvidia parakeet. Recordings are not sent to external servers unless explicitly configured by the user.
• Credential storage — Sensitive credentials are stored using Electron's safeStorage API where available.
• Native binaries — Platform-specific helpers (key listeners, paste utilities) are compiled from source during the build process.
• Context isolation — The Electron renderer runs with context isolation enabled and a restricted preload bridge.

We follow coordinated disclosure. Once a fix is released, we will credit reporters in the changelog (unless they prefer to remain anonymous).