If you discover a security vulnerability in StackUnderflow, please report it responsibly:
- Do not open a public GitHub issue
- Use GitHub's private vulnerability reporting to report vulnerabilities.
- Include a description of the vulnerability and steps to reproduce
StackUnderflow runs locally and processes local files. The main security considerations are:
- API keys — never hardcode keys in source. Use environment variables.
- Share feature — opt-in upload to external service. Users should review what they share.
- SQLite databases — services store data locally. These may contain conversation content.
- CORS — the local server allows all origins for localhost development convenience.
Only the latest release receives security updates.