Skip to content

Security: aruneshvv/freeflow

Security

SECURITY.md

Security Policy

FreeFlow captures microphone audio, takes screenshots for context inference, and stores an API key on the local machine. If you've found a vulnerability or potential privacy issue, please report it privately rather than opening a public issue.

Reporting a vulnerability

Use one of the following channels:

Please include:

  • A description of the vulnerability and the affected component (macOS app, Windows app, a specific module).
  • Steps to reproduce, or a proof-of-concept.
  • The FreeFlow version and platform (macOS / Windows version).
  • Any suggested fix or mitigation.

What to expect

  • Acknowledgement of your report within 7 days.
  • A triage assessment (confirmed / not reproducible / out of scope) within 14 days.
  • For confirmed issues: coordinated disclosure once a fix is available or a mitigation documented.

Scope

In scope:

  • The FreeFlow macOS app (Swift, Sources/).
  • The FreeFlow Windows app (Python, windows/).
  • The build and release pipeline (installer, DMG, GitHub Actions workflows).

Out of scope:

  • Vulnerabilities in upstream dependencies (Groq API, keyboard, pystray, etc.) — report those to their respective maintainers.
  • Social-engineering or physical-access attacks.

Disclosure philosophy

FreeFlow is a small open-source project with no bug-bounty program. We appreciate responsible disclosure and will credit reporters who wish to be named in the release notes for the fix.

There aren't any published security advisories