We actively support the following versions with security updates:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
We take security seriously. If you discover a vulnerability, please report it responsibly.
Do NOT open a public GitHub issue for security vulnerabilities.
Instead, please:
- Email us at: Create an issue with the label
securityon our GitHub Issues (we'll make it private if needed) - Or DM us on Discord:
- Naseem:
@ws. - Noor:
@sjc03- you can send feedback inside the app *directly about the security issue you found .
- Naseem:
Please provide:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
| Stage | Timeline |
|---|---|
| Initial response | Within 48 hours |
| Vulnerability confirmation | Within 7 days |
| Fix development | Depends on severity |
| Patch release | As soon as possible |
When using YzPzCode:
- API Keys: Never share your AI CLI API keys. YzPzCode does not store or transmit your keys — they remain local to your machine.
- Workspace Paths: Be mindful of which directories you open in the app.
- Updates: Keep the app updated to receive security patches.
- Downloads: Only download YzPzCode from our official GitHub Releases.
The macOS version is currently unsigned due to Apple Developer certification being in progress. This means:
- macOS will show a security warning on first launch
- You'll need to bypass Gatekeeper (see README.md)
- The app is built from this open-source repository and is safe to run
We are actively working on code-signing and expect it to be completed within a few weeks.
YzPzCode spawns real PTY (pseudo-terminal) sessions to run AI CLI tools. This means:
- The app has terminal-level access to your system
- Only use AI CLIs from trusted sources
- Be cautious with commands suggested by AI agents
YzPzCode relies on:
- Tauri v2 — Application framework
- portable-pty — Terminal emulation
- AI CLI tools (Claude, Gemini, Codex, etc.) — Each has their own security policies
We follow responsible disclosure:
- Vulnerabilities are disclosed after a fix is released
- Credit is given to reporters (unless they prefer to remain anonymous)
- CVEs will be requested for significant vulnerabilities
Questions? Reach out via GitHub Issues or Discord.
Last updated: March 2026