Email security@vdiagent.ai — do not open a public GitHub issue.
Include:
- Description + impact
- Reproduction steps
- Your preferred contact / credit name
Acknowledgement within 2 business days; first substantive response within 5 business days.
This repository is vdiagent-desktop — the Windows WPF desktop overlay shipped as VdiAgent.exe via GitHub Releases and the Microsoft Store. In-scope areas:
- Screen capture, OCR, and input simulation code paths (
ScreenCaptureService,InputSimulationService, OCR pipeline) - Local session storage and export/import flows (
SessionService) - Update mechanism (
UpdateService) including the SHA-256 companion hash check - Plugin loading (
PluginService) — SHA-256 allowlist enforced - DPAPI-encrypted at-rest storage for license keys and sensitive config
- Global hotkey registration and window focus handling
- IPC with the LLM proxy (request signing, license-key header)
- Reports requiring a compromised Windows user session (the app runs as the current user).
- Findings that depend on elevating the Windows account outside the app.
- Vulnerabilities in the MS Store distribution pipeline — report those to Microsoft.
- Third-party service vulnerabilities (Vercel, Supabase, Anthropic, OpenAI, Google).
- Automated scanner findings without an exploit path.
Good-faith researchers who give us a reasonable disclosure window, avoid privacy violations / data destruction / service disruption, and do not access data beyond what's needed to demonstrate the issue will not face legal action.
- Full security whitepaper: vdiagent-docs/legal/SECURITY.md
- MS Store submission checklist: docs/STORE-SUBMISSION.md
- SLA: vdiagent-docs/legal/sla.md