Voice Agent is a single-developer hobby project at the moment. Only the latest commit on the main branch is supported. There are no tagged releases yet; fixes ship to main directly.

Do not open a public GitHub issue for security-sensitive reports.

Please use GitHub's private vulnerability reporting to disclose privately. Include:

• A clear description of the issue
• Steps to reproduce (or a proof-of-concept) on a Snapdragon 8-class Android device running the latest main
• The expected vs. actual behaviour
• Whether you'd like to be credited in the fix commit / changelog

Acknowledgement target: 7 days. Triage + fix or written explanation: 30 days.

• The Android app (android/) and its compiled APK
• The HTTP path to ElevenLabs (request shape, secret handling, cancellation semantics, redirect handling, certificate validation)
• The in-app downloader (range-resume, partial-file handling, content validation, write-path safety)
• The memory store (Room database; SQL injection paths; persistence of user-supplied content)
• The model-loading path (LiteRT-LM, ONNX Runtime, smart-turn classifier, sentence encoder) — when triggered by app code, not arbitrary attacker input
• Tool dispatch (getCurrentTime, calculate, navigateTo, the four memory tools) — when triggered by attacker-controlled prompts via the on-device LLM

• Vulnerabilities in upstream dependencies (file an issue with the upstream project; we'll bump the version once their fix lands and Dependabot surfaces it)
• Issues that require a physically-rooted device or a previously-compromised Android user account
• The behaviour of Gemma 4, LiteRT-LM, ElevenLabs, ONNX Runtime, ML Kit, Pipecat smart-turn, or any other third-party model / library that this app integrates with
• Side-channel attacks that require attacker-controlled access to the device's hardware sensors, network packets, or kernel
• Issues only reproducible on non-Snapdragon hardware (the project is Snapdragon-only by design — see README.md)

There is no bug bounty. This is a personal project. The only "reward" is acknowledgement in the fix commit if you'd like.

• The ElevenLabs API key is stored in plain SharedPreferences (sandboxed per-app on un-rooted devices) with allowBackup="false" in the manifest to block Google Auto-Backup exfiltration. On rooted devices the key is readable. No Keystore-backed encryption today; documented as a v1 trade-off in CLAUDE.md. Reports about the secret-handling posture are welcome but won't be fixed by adding a Keystore wrapper unless there's a concrete attack path beyond the rooted-device scenario.
• The repo's git history was rewritten on 2026-05-01 to remove identity tokens that had been committed during early development. If you see a leaked token in any commit reachable from main today, please report it immediately — that would be a regression.