While the project is pre-1.0, only the latest commit on main is supported. After v1.0, the most recent minor release receives security patches.

Please email app.2weeks@gmail.com with the subject line prefix [he-was-socrates security].

• Acknowledgment: within 7 days.
• Triage update: within 14 days.
• Disclosure window: 90 days from acknowledgment (negotiable for high-impact findings that need extended remediation).
• PGP key: not yet published. If the report contains sensitive details, propose an alternative channel and the maintainer will respond with one.

Please do not open a public issue for a security vulnerability before coordinated disclosure.

This is a macOS-only Apple-Silicon-only Swift+MLX app. Hard product invariants that, if broken, are always in scope as a vulnerability:

1. Cloud egress. The App Sandbox does not declare network.client or network.server. Any path by which user audio, transcript, or wondering-log contents could leave the device is in scope. This includes:
   • A future PR that adds a network entitlement
   • A dependency that opens a socket
   • A side-channel via filesystem write to a synced location (iCloud Drive, Dropbox, etc.) without explicit user export action
2. On-device speech recognition only. If requiresOnDeviceRecognition is ever flipped to false or bypassed, that is in scope.
3. System prompt immutability. The Korean Socratic prompt (SystemPrompt.composed in packages/SocraticEngine/Sources/SocraticEngine/Gemma/SystemPrompt.swift) must be assembled at compile time. Any path by which runtime input could replace, append, or override the system prompt is in scope.
4. Bundled Gemma weights integrity. Release builds must verify the SHA-256 of bundled weights against ModelIntegrity.expectedSHA256 before loading. Any path that bypasses the check is in scope.
5. COPPA child-mode flow. Auto-detection of child mode (via mode_classify) must not result in persistent storage of child speech without verifiable parental consent. Any persistence-before-consent regression is in scope.

• An answer the bust gives. The bust occasionally produces re-questions that a reviewer might consider too generic, off-topic, or unhelpful. That is a tuning concern, not security. Open an issue with the enhancement label.
• Upstream Gemma 4 model output bias / hallucination. We acknowledge these limitations. They affect every Gemma 4 application equally and do not constitute a vulnerability in this project specifically.
• macOS / Xcode / hardware bugs. Report those to Apple.
• Build infrastructure attacks not affecting end users. CI failures are publicly visible by design. Build-time supply chain compromises (e.g., a malicious dependency snuck in) ARE in scope, but a contributor pushing a branch that fails CI is not.

Pull requests must NOT:

• Add or remove any <key>com.apple.security.network.*</key> entry in apps/macos/HeWasSocrates/HeWasSocrates/Resources/HeWasSocrates.entitlements
• Set requiresOnDeviceRecognition = false in AudioInputManager.swift
• Read system prompt content from any non-compile-time source (no Bundle.main.url(forResource: "system-prompt"…), no environment variable, no UserDefaults, no command-line argument, no UI text field)
• Skip ModelIntegrity.verify(...) in non-debug builds
• Persist child-mode-classified Wonder entries without first checking a parentalConsentVerified flag (Phase 4 day-1 implementation pending)
• Add a Python or Swift dependency that ships in the DMG and reaches the network at runtime

CI runs gitleaks to catch committed secrets; manual review is still required for the structural invariants above.

None as of 2026-05-05. This section will be updated if any are reported.

Reporters who follow coordinated disclosure receive credit in the project's CHANGELOG.md under ### Security of the relevant release, unless they request anonymity. PRs that fix reported issues retain authorship attribution in commit history per normal Git conventions.

This security policy was reviewed by an internal security audit recorded at runs/2026-05-05-spec/spec/security-audit-2026-05-05.md (when generated by the security-engineer agent).