Edmund is in beta (pre-1.0). Only the latest released version is supported with security fixes.
| Version | Supported |
|---|---|
| latest | ✅ |
| older | ❌ |
Please report security vulnerabilities privately using GitHub's private vulnerability reporting (Security tab → "Report a vulnerability"). Do not open a public issue for suspected vulnerabilities.
Include as much detail as you can: affected version, reproduction steps, impact, and any proof-of-concept. You should get an initial response within 7 days.
Since Edmund is a local, offline-first macOS app (no server, no accounts, no telemetry), the main risk areas are:
- Malicious Markdown/HTML content leading to code execution, sandbox escape, or unintended network access when opening a file
- Sparkle auto-update integrity (signature/verification bypass)
- Arbitrary file read/write outside the file the user opened
If confirmed, a fix will be released and credited in the release notes (unless you prefer to stay anonymous).
Please give a reasonable amount of time to fix an issue before any public disclosure. There is no bug bounty program.