If you discover a security vulnerability in TSC Bridge, please report it responsibly. Do not open a public GitHub issue.

Send an email to security@abstraktgt.com with:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

You will receive an acknowledgment within 48 hours. We will work with you to understand the issue and coordinate a fix before any public disclosure.

TSC Bridge runs as a local service on 127.0.0.1. It is not designed to be exposed to the network. The threat model assumes:

• Trusted: The local machine and its users
• Untrusted: Remote network traffic, web page JavaScript (CORS-restricted)

The HTTP API enforces CORS headers. Only origins explicitly configured in the bridge configuration file are allowed to make API requests.

TSC Bridge can generate a self-signed TLS certificate for HTTPS on localhost. This prevents mixed-content warnings when the calling web application uses HTTPS.

When connected to a backend, the bridge uses token-based authentication. Tokens are stored encrypted (AES-256) in the local configuration file.

Direct USB printing requires operating system permissions. On macOS, the bridge may need to detach the kernel driver from the USB device. On Linux, the user may need to be in the lp or plugdev group.