MR Chatter is early in its public open-source lifecycle. Security fixes are handled on a best-effort basis for the latest code on the default branch unless noted otherwise.
Please do not report security vulnerabilities in public GitHub issues.
Preferred reporting paths:
- GitHub private vulnerability reporting for this repository, if enabled
- a maintainer contact method listed on the repository or maintainer profile
Include:
- a description of the issue
- impact and affected area
- reproduction steps or proof of concept
- any suggested mitigation, if available
If no private channel is available yet, open a minimal public issue requesting a private contact path without including vulnerability details.
Examples include:
- token or credential leakage
- unsafe handling of locally stored secrets
- vulnerabilities in external-service integration flows
- command execution or path-handling issues that could expose user data
- updater or release-signing weaknesses
This repo should never contain live credentials.
If you notice a committed secret:
- stop using the secret immediately
- rotate or revoke it at the provider
- remove it from the repository state and, if necessary, from git history
- re-scan the repository before publication or release
MR Chatter stores service tokens in the system credential store / keychain where possible. Metadata such as service URLs may still be stored locally in app config files. Protect your local machine and account access accordingly.