FreeFlow captures microphone audio, takes screenshots for context inference, and stores an API key on the local machine. If you've found a vulnerability or potential privacy issue, please report it privately rather than opening a public issue.
Use one of the following channels:
- Open a private security advisory on GitHub: https://github.com/aruneshvv/freeflow/security/advisories/new
- Or start a private conversation by opening a Discussion in the "Security" category (once enabled) — do not include exploit details in a public thread.
Please include:
- A description of the vulnerability and the affected component (macOS app, Windows app, a specific module).
- Steps to reproduce, or a proof-of-concept.
- The FreeFlow version and platform (macOS / Windows version).
- Any suggested fix or mitigation.
- Acknowledgement of your report within 7 days.
- A triage assessment (confirmed / not reproducible / out of scope) within 14 days.
- For confirmed issues: coordinated disclosure once a fix is available or a mitigation documented.
In scope:
- The FreeFlow macOS app (Swift,
Sources/). - The FreeFlow Windows app (Python,
windows/). - The build and release pipeline (installer, DMG, GitHub Actions workflows).
Out of scope:
- Vulnerabilities in upstream dependencies (Groq API,
keyboard,pystray, etc.) — report those to their respective maintainers. - Social-engineering or physical-access attacks.
FreeFlow is a small open-source project with no bug-bounty program. We appreciate responsible disclosure and will credit reporters who wish to be named in the release notes for the fix.