Security & Vulnerability Disclosure
Last updated: 2026-05-12
Reporting a vulnerability
Email security@localpocket.app with a description of the issue and reproduction steps. PGP-encrypted mail is preferred (see below). You may also use GitHub Private Vulnerability Reporting.
Please do not file public GitHub Issues, social-media posts, or community-forum threads for unpatched vulnerabilities. Coordinated disclosure protects users.
Scope
In scope:
- Local Pocket macOS application binary (signed DMG from official Releases)
- FastAPI backend embedded in the application
- Official companion clients (iOS, Android, Windows) once released
- Sparkle update channel (
updates.localpocket.app) - This website (
localpocket.app) - Source code on the
mainbranch of the repository
Out of scope:
- Bugs in third-party dependencies — please report upstream and CC us
- Vulnerabilities requiring physical access to an unlocked Mac
- Self-XSS or other client-side issues requiring social engineering
- Missing security headers without a demonstrable exploitation path
- Spam / phishing / clickjacking issues not tied to our infrastructure
- User-misconfigured deployments (e.g. binding the server to public Internet)
Safe harbor
We will not pursue legal action, send takedowns, or report to law enforcement against researchers who:
- Make a good-faith effort to follow this policy;
- Do not compromise the privacy or data of other users;
- Do not exploit a discovered vulnerability beyond what is needed to demonstrate it;
- Give us a reasonable time to remediate before public disclosure.
We will publicly thank researchers who follow these guidelines — with your permission, in the release notes for the version that fixed the issue, and in our SECURITY.md acknowledgments list.
Response SLA
| Stage | Target |
|---|---|
| Acknowledgement | Within 72 hours |
| Triage & severity classification | Within 7 days |
| Fix released or status update | Within 90 days |
| Public disclosure (coordinated) | After fix ships, unless agreed otherwise |
PGP / encrypted mail
We are setting up a dedicated PGP key for security@localpocket.app. Until it is live, please send reports unencrypted to that address — we will reply from the same mailbox and key-exchange there if you want to follow up encrypted.
Once published, the key fingerprint will appear here and the armored
public block will be available at
localpocket.app/pgp.txt.
Bug bounty
We do not currently operate a paid bug bounty. A program is planned for v2.2 once we have launch usage data. Until then, public acknowledgement in the release that fixes the issue is the offered reward.
References
-
Machine-readable disclosure metadata:
/.well-known/security.txt(RFC 9116) - Source-of-truth policy: SECURITY.md