| Version | Supported |
|---|---|
| Latest | ✅ |
We take the security of Auralis Music seriously. If you discover a security vulnerability, please report it to us responsibly before disclosing it publicly.
- Email: security@auralismusic.com
- Private Issue: Create a private issue on our GitHub repository
- PGP Key: Available upon request for encrypted communications
Please include:
- Detailed description of the vulnerability
- Steps to reproduce the issue
- Potential impact assessment
- Any proof-of-concept code or screenshots
- Critical: Within 24 hours
- High: Within 48 hours
- Medium: Within 72 hours
- Low: Within 1-2 week
- Local Storage: All user data is stored locally on the device
- Network Security: HTTPS/TLS encryption for all network communications
- API Keys: Sensitive credentials are properly obfuscated and not hardcoded
- Firebase Integration: Follows Firebase security best practices
- Proxy Support: Built-in proxy support for enhanced privacy
- No Tracking: No unnecessary analytics or tracking beyond essential functionality
- Local Playback: Offline mode prevents unnecessary network exposure
- Download APKs only from official sources (GitHub releases)
- Keep the app updated to the latest version
- Use secure network connections when streaming
- Review app permissions carefully
- Follow secure coding practices in Kotlin
- Use dependency scanning for vulnerable libraries
- Implement proper input validation
- Secure Firebase configuration
- Firebase: Used for crash reporting and analytics (optional)
- Music APIs: Integration with external music services
- Lyrics Services: Third-party lyrics providers
- Music streaming from various sources
- Lyrics synchronization services
- Metadata fetching from music databases
Security updates are delivered through:
- App Updates: Regular security patches in new releases
- Dependency Updates: Automated dependency scanning and updates
- Security Advisories: Published for critical vulnerabilities
We follow a responsible disclosure approach:
- Acknowledge receipt of vulnerability reports within 48 hours
- Provide regular updates on remediation progress
- Aim to patch critical vulnerabilities within 30 days
- Coordinate public disclosure timing with reporters
- Credit security researchers in our security advisories
- GitHub Issues: Private Issue Reporting
This security policy is part of the Auralis Music project and follows the same GPL-3.0 license terms.
Note: This security policy is a living document and may be updated as our security practices evolve. Last updated: January 2026