Please do not open a public issue for security vulnerabilities.

To report a security issue, use GitHub Security Advisories. This allows us to discuss and fix the issue privately before public disclosure.

• Description of the vulnerability
• Steps to reproduce
• Affected component (server API, client app, dependencies)
• Impact assessment if known

• Acknowledgment: within 48 hours
• Initial assessment: within 1 week
• Fix or mitigation: depends on severity, targeting 30 days for critical issues

The following areas are in scope for security reports:

• Server API — authentication, authorization, input validation, data handling
• Client app — API key storage, data transmission, local data security
• Dependencies — vulnerabilities in third-party packages used by the project
• Infrastructure — Docker configuration, deployment scripts, TLS setup

• Vulnerabilities in upstream services (OpenAI API, PostgreSQL) — report these to the respective maintainers
• Issues requiring physical access to a device
• Social engineering attacks

Oracy handles audio data and API keys. Key security measures:

• API keys are hashed (SHA-256) before storage — plaintext keys are never persisted
• All API endpoints require Bearer token authentication
• Rate limiting protects against abuse
• Audio files are processed server-side and not stored after transcription
• Client app uses platform-native secure storage (Keychain/Keystore) for API keys