| Version | Supported |
|---|---|
| Latest (main branch) | ✅ Yes |
| Older releases | ❌ No |
If you discover a security vulnerability in Hazel, do NOT open a public issue.
Use GitHub's built-in Private Vulnerability Reporting to report it securely.
- Description of the vulnerability
- Steps to reproduce
- Affected component (Android / Windows)
- Potential impact
| Action | Timeframe |
|---|---|
| Acknowledgment | Within 48 hours |
| Initial assessment | Within 7 days |
| Fix release | Depends on severity |
- Script injection via malicious URLs
- Unauthorized file system access beyond Download folder
- Credential or token exposure in logs or temp files
- Dependency vulnerabilities (yt-dlp, FFmpeg)
- Issues in third-party tools (yt-dlp, FFmpeg) — report those upstream
- Social engineering attacks
- Denial of service on local machine
- No credentials stored — Hazel does not handle user accounts or tokens
- Minimal permissions — only READ storage for music library, no MANAGE_EXTERNAL_STORAGE
- No telemetry — no data is collected or transmitted
- In-app updates — APK downloads verified via GitHub Releases API
App updates are delivered via GitHub Releases with in-app download and install.