We release patches for security vulnerabilities in the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a security vulnerability, please follow these steps:
Security vulnerabilities should be reported privately to protect our users.
Send an email to: security@mindmate.app
Include the following information:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Your contact information
- Initial response: Within 48 hours
- Status update: Within 7 days
- Resolution: As quickly as possible
- We will acknowledge receipt of your report
- We will investigate and validate the issue
- We will work on a fix
- We will coordinate disclosure with you
- We will credit you (if desired) in our security advisories
- Local Storage: All data is stored locally on your device
- Encryption: Sensitive data is encrypted using Flutter Secure Storage
- No Cloud Sync: Your data never leaves your device unless you explicitly export it
- No Tracking: We don't collect any analytics or user data
- Biometric Support: Optional fingerprint/face recognition
- No Passwords: No password-based authentication to avoid security risks
- Device-Only: Authentication is tied to your device
- Offline-First: App works without internet connection
- No Data Collection: We don't collect any personal information
- Open Source: All code is publicly available for review
- No Third-Party Analytics: No tracking or analytics services
- API Keys: Stored securely using Flutter Secure Storage
- No Data Transmission: Journal entries are not sent to external services
- Optional AI: AI features are completely optional and can be disabled
- Free APIs Only: Only uses free tiers of AI services
- Keep your device updated: Regular OS updates include security patches
- Use biometric authentication: Enable device-level security
- Regular backups: Export your data regularly
- Secure device: Use device lock screen and encryption
- Review permissions: Only grant necessary permissions
- Code review: All code changes are reviewed
- Dependency updates: Regular updates of dependencies
- Security scanning: Automated security checks in CI/CD
- Minimal permissions: Request only necessary permissions
- Secure storage: Use Flutter Secure Storage for sensitive data
We regularly audit our code for security issues:
- Static Analysis: Automated code analysis
- Dependency Scanning: Regular dependency vulnerability checks
- Code Review: Manual code review process
- Penetration Testing: Regular security testing
- Third-Party Audits: External security reviews
When we discover or are notified of a security vulnerability:
- Assessment: We assess the severity and impact
- Fix Development: We develop a fix as quickly as possible
- Testing: We thoroughly test the fix
- Release: We release the fix in a new version
- Disclosure: We publish a security advisory
- Communication: We notify users through appropriate channels
Security advisories are published in:
For security-related questions or concerns:
- Email: security@mindmate.app
- GitHub: Security Advisories
- Issues: GitHub Issues (for non-security issues)
We thank all security researchers who responsibly disclose vulnerabilities to us.
This security policy is subject to our Terms of Service and Privacy Policy.
Last updated: December 19, 2024