Goose is currently in alpha. Only the latest commit on main is supported.
| Version | Supported |
|---|---|
| main (latest) | ✅ |
| older commits | ❌ |
Please do not report security vulnerabilities via public GitHub issues.
If you discover a security vulnerability, report it privately:
- Open a GitHub Security Advisory — this is confidential and only visible to maintainers.
- Or reach out via GitHub Discussions.
Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof of concept
- Any suggested mitigations
You can expect an acknowledgement within 72 hours and a resolution timeline within 14 days for confirmed issues.
Security issues in scope:
- The iOS app (
GooseSwift/) — data leakage, insecure Keychain usage, URL scheme abuse - The Rust core (
Rust/core/) — memory safety, FFI boundary issues - The self-hosted server (
server/) — injection, authentication bypass, data exposure - CI/CD workflows (
.github/workflows/) — supply chain risks
Out of scope:
- Issues requiring physical access to an unlocked device
- Denial-of-service via large BLE payloads
- Issues in third-party dependencies (report to the upstream project directly)
We follow responsible disclosure. Once a fix is deployed, we will publish a security advisory crediting the reporter (unless anonymity is requested).