Skip to content

Security: iankr347-commits/AuralisMusic10

SECURITY.md

Security Policy

Supported Versions

Version Supported
Latest

Reporting a Vulnerability

We take the security of Auralis Music seriously. If you discover a security vulnerability, please report it to us responsibly before disclosing it publicly.

How to Report

Please include:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code or screenshots

Response Time

  • Critical: Within 24 hours
  • High: Within 48 hours
  • Medium: Within 72 hours
  • Low: Within 1-2 week

Security Features

Data Protection

  • Local Storage: All user data is stored locally on the device
  • Network Security: HTTPS/TLS encryption for all network communications
  • API Keys: Sensitive credentials are properly obfuscated and not hardcoded
  • Firebase Integration: Follows Firebase security best practices

Privacy Features

  • Proxy Support: Built-in proxy support for enhanced privacy
  • No Tracking: No unnecessary analytics or tracking beyond essential functionality
  • Local Playback: Offline mode prevents unnecessary network exposure

Security Best Practices

For Users

  • Download APKs only from official sources (GitHub releases)
  • Keep the app updated to the latest version
  • Use secure network connections when streaming
  • Review app permissions carefully

For Developers

  • Follow secure coding practices in Kotlin
  • Use dependency scanning for vulnerable libraries
  • Implement proper input validation
  • Secure Firebase configuration

Known Security Considerations

Third-Party Services

  • Firebase: Used for crash reporting and analytics (optional)
  • Music APIs: Integration with external music services
  • Lyrics Services: Third-party lyrics providers

Network Communications

  • Music streaming from various sources
  • Lyrics synchronization services
  • Metadata fetching from music databases

Security Updates

Security updates are delivered through:

  • App Updates: Regular security patches in new releases
  • Dependency Updates: Automated dependency scanning and updates
  • Security Advisories: Published for critical vulnerabilities

Responsible Disclosure Policy

We follow a responsible disclosure approach:

  1. Acknowledge receipt of vulnerability reports within 48 hours
  2. Provide regular updates on remediation progress
  3. Aim to patch critical vulnerabilities within 30 days
  4. Coordinate public disclosure timing with reporters
  5. Credit security researchers in our security advisories

Security Contact Information

License

This security policy is part of the Auralis Music project and follows the same GPL-3.0 license terms.


Note: This security policy is a living document and may be updated as our security practices evolve. Last updated: January 2026

There aren't any published security advisories