From 1fbc9746475c4e45c8c26e71e9ceeea3d347e988 Mon Sep 17 00:00:00 2001 From: Sam Powers <35611153+sam-powers@users.noreply.github.com> Date: Sat, 13 Jun 2026 22:59:21 -0400 Subject: [PATCH] docs(security): add vulnerability disclosure contact MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Adds a "Reporting a vulnerability" section so anyone who finds an issue has a private channel (sapowers16@gmail.com) to report it before it's public — the conventional thing reviewers and security-minded users look for, and worth having before the app gets attention. Co-Authored-By: Claude Opus 4.8 --- docs/SECURITY.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/docs/SECURITY.md b/docs/SECURITY.md index e252719..f5e19dc 100644 --- a/docs/SECURITY.md +++ b/docs/SECURITY.md @@ -6,6 +6,16 @@ to be read by an engineer reviewing the app, not just to list mitigations. Where we left something unchanged, the rationale is here too, because a defensible non-fix is part of the posture. +## Reporting a vulnerability + +If you find a security issue in Quill, please report it privately rather than +opening a public issue, so it can be fixed before it's widely known. Email +**sapowers16@gmail.com** with a description and, where possible, steps to +reproduce. You'll get an acknowledgement, and we'll work the fix and any +disclosure timing with you. There is no bug-bounty program — this is a small +open-source project — but reports are genuinely welcome and credited if you'd +like. + ## What Quill is, in security terms Quill is a local, single-user macOS desktop app (Tauri 2 + a React/TypeScript