Security

Report security issues privately, not via public GitHub issues.

How to report

Use GitHub's private security advisory form. We aim to acknowledge within 72 hours.

In scope

• Code execution via crafted YouTube Music responses, mpv inputs, or config files
• Credential exposure (auth.json, spotify.json, MPRIS bus content)
• Path traversal / arbitrary file write via cache or download paths
• IPC socket abuse on Linux/macOS or TCP-localhost on Windows

Out of scope

• Self-XSS in the TUI (no browser surface)
• Anything requiring root/admin access on the local machine
• Issues in upstream libraries (report to those projects)

Full policy mirrors SECURITY.md in the repo.