Only the latest released version of Speak-to-AI receives security fixes.

Please report security issues privately via GitHub's Report a vulnerability form (Security tab → Advisories) rather than opening a public issue. If GitHub is not an option for you, you can email asherbuk@gmail.com instead.

Include, if possible:

• A description of the issue and its impact
• Steps to reproduce (or a proof of concept)
• The affected version and Linux distribution

You can expect an initial response within 7 days. Once the issue is confirmed, a fix will be prepared and released as soon as reasonably possible, and you will be credited in the release notes unless you prefer to stay anonymous.

Speak-to-AI is an offline Linux desktop application: speech recognition runs locally via whisper.cpp, and no audio or transcripts are sent over the network. Reports most relevant to this project include:

• Path traversal or arbitrary file read/write via model paths or configuration (~/.config/speak-to-ai/config.yaml)
• Privilege or input-device issues in the hotkey layer (evdev, D-Bus)
• Unsafe handling of recorded audio buffers or temporary files
• Issues in the local WebSocket server exposed by the daemon

Out of scope: vulnerabilities in upstream dependencies (whisper.cpp, Go modules — please report those to the respective projects) and issues that require prior local root access.