If you discover a security vulnerability in Magia, please report it responsibly.

Email: security@magia.sh

Please include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Any relevant logs, screenshots, or proof-of-concept code
• Your assessment of the severity and potential impact

Response timeline:

• 48 hours -- acknowledgment of your report
• 7 days -- initial assessment and severity classification
• 90 days -- target for releasing a fix (depending on complexity)

Do not open public GitHub issues for security vulnerabilities.

• Tauri IPC security (command permissions, unauthorized access between frontend and backend)
• Credential storage and retrieval (OS keychain via the keyring crate)
• Provider API key handling and potential leakage
• Content Security Policy (CSP) bypasses
• Code execution vulnerabilities (local privilege escalation, arbitrary command injection)
• Authentication and session token handling
• Data exfiltration from the application sandbox

• Social engineering attacks against users or maintainers
• Denial of service (DoS) attacks
• Vulnerabilities in upstream dependencies (please report those to the relevant upstream project)
• Issues requiring physical access to the user's machine
• Bugs in third-party AI provider APIs or services

We follow a coordinated disclosure model:

1. Report the vulnerability privately via email.
2. We will work with you to understand and validate the issue.
3. We will develop and test a fix.
4. We will release the fix and publish an advisory.
5. After 90 days from the initial report (or once a fix is released, whichever comes first), the vulnerability may be publicly disclosed.

We ask that you do not publicly disclose the vulnerability before the 90-day window expires or before a fix is available, whichever comes first. We will credit reporters in advisories unless anonymity is requested.

Magia incorporates the following security measures:

• OS keychain storage -- Provider API keys and credentials are stored in the operating system's native keychain (macOS Keychain, Windows Credential Manager, Linux Secret Service) via the keyring crate. Credentials are never written to disk in plaintext.
• Content Security Policy -- CSP headers restrict script execution and resource loading within the webview.
• Tauri permission system -- IPC commands between the frontend and Rust backend are gated by Tauri's capability-based permission model, limiting what the webview can access.
• Telemetry controls -- Telemetry (Sentry, PostHog) is gated by environment variables. Self-built versions have zero telemetry by default.

Security fixes are applied to the latest release only. We recommend always running the most recent version of Magia.