codex-ubuntu is an unofficial Ubuntu desktop project, but it still handles:
- local auth-bearing URLs
- process reuse and process termination
- local web runtimes on loopback
- desktop launch surfaces
That means security bugs here are real bugs, even when the runtime is local-only.
The current security focus is:
- launcher stop and reuse safety
- token redaction and log hygiene
- XDG path handling
- desktop integration correctness
- safe fallback behavior while the Electron path is being built
Please do not open a public issue for a vulnerability that could expose user data, local tokens, or unsafe process control behavior.
Instead:
- describe the issue privately to the maintainer
- include affected version or commit
- include reproduction steps
- include expected versus actual behavior
If you are not sure whether something is security-sensitive, err on the side of private disclosure first.
- stale PID reuse that can kill unrelated processes
- token leakage into logs or persistent browser history beyond what the runtime already requires
- loopback runtime unexpectedly binding beyond localhost
- unsafe provider metadata trust
- desktop entry or protocol handler behavior that enables unintended command execution
The repository does not claim to secure proprietary upstream services or official upstream binaries beyond the local launcher logic it owns.