BloatFree is in active development. Security fixes are applied to the latest released version on the main branch.

If you discover a security vulnerability, please report it privately — do not open a public issue.

• Email duminandrew@gmail.com with a clear description and reproduction steps.
• Alternatively, use GitHub's private security advisories.

Please include:

• The affected component (e.g. Shizuku command execution, package repository, UI).
• Steps to reproduce or a proof-of-concept.
• The potential impact as you see it.

You can expect an initial acknowledgement within 5 business days. Once a fix is available, a coordinated disclosure timeline will be agreed upon.

BloatFree relies on Shizuku to run package operations with elevated, ADB-level (shell) privileges — without root. This is powerful by design:

• Disabling or uninstalling the wrong system package can cause boot loops, broken system UI, or a non-functional device. BloatFree surfaces a "safe to remove" heuristic, but the user is always responsible for the packages they choose to act on. Removals of user-space apps can typically be reinstalled; disabling system packages is reversible, but uninstalling them for the current user may require a factory reset to undo.
• The app issues commands only in response to explicit user actions and does not perform any operation in the background or without on-screen confirmation.
• BloatFree makes no network calls and collects no analytics or telemetry. It reads the installed-package list locally and never transmits it.

When reporting issues, please treat any path that could let a malicious package or crafted package name influence command execution as security-sensitive.