# Security Policy

## Reporting a Vulnerability

If you discover a security vulnerability in OpenGUI, please report it responsibly.

**Do not open a public issue for security vulnerabilities.**

Instead, please send an email to the maintainers or use GitHub's private vulnerability reporting feature:

1. Go to the repository's **Security** tab
2. Click **Report a vulnerability**
3. Provide a detailed description of the issue

## Scope

OpenGUI involves AI-driven device automation via accessibility services. Security concerns include but are not limited to:

- Unauthorized access to device control
- API key or credential exposure
- Injection attacks via task descriptions or AI prompts
- WebSocket authentication bypass
- File upload/download vulnerabilities

## Response

We aim to acknowledge security reports within 48 hours and provide a fix or mitigation plan within 7 days for critical issues.