Back to Wiki
Security

Security Policy

Only the latest public release is supported for security fixes. Update before reporting unless the issue also reproduces on the latest version.

Reporting a vulnerability

Do not post tokens, config files, logs, screenshots with secrets, or exploit details in a public issue. Use GitHub private vulnerability reporting if available, or open a minimal public issue asking for a private contact.

Enhanced metadata hardening

  • The debug port is randomly selected from a high local port range.
  • The selected port is stored in memory for the app session.
  • The app refuses non-Amazon Music targets.
  • The common DevTools port 9222 is not used for launching Amazon Music.

Tokens and secrets

Last.fm and ListenBrainz tokens are stored locally when enabled. Diagnostics redact known token values, but config files should still be treated as private.

Updates

The updater checks GitHub releases, opens the release page before running an installer, and verifies SHA256 when release notes include a hash.

Report links

Open a GitHub issue