Published beta document

Security Policy

Last updated: April 2026

This website page summarizes the repository SECURITY.md. The repo policy is the source of truth; update SECURITY.md before adding divergent website security copy.

Report a vulnerability

Do not open a public issue for a vulnerability. Email viperjuice@users.noreply.github.com with a description, reproduction steps, potential impact, and suggested fix if available. The current repo policy says reports are acknowledged within 48 hours and critical fixes aim for release within 7 days.

Scope

Talk-to-Tux runs as a local Linux desktop application with access to microphone audio, input devices, clipboard, screen content, and network APIs for configured STT and LLM providers. Hosted mode also uses Supabase Edge Functions and Groq-backed processing today.

Areas of concern

• API keys are stored in ~/.config/talk-to-tux/secrets.env and should not be logged or cached.
• Audio is sent to the configured STT provider, which may be the hosted Supabase relay or a BYO endpoint.
• Screenshots can be captured for rewrite context and sent according to the configured rewrite path.
• The local debug cache at ~/.cache/talk-to-tux/runs/ is off by default.
• The side-button device can be grabbed exclusively while other events are forwarded through uinput.

Supported versions

Latest main is supported. Older commits are best effort. Review SECURITY.md before relying on a specific version for a sensitive environment.