| Version | Supported |
|---|---|
| 0.1.x | Yes |
If you discover a security vulnerability in Muxi, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, please email the maintainers directly or use GitHub's private vulnerability reporting feature:
- Go to the Security Advisories page
- Click "Report a vulnerability"
- Provide a detailed description of the issue
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial assessment: Within 1 week
- Fix release: Dependent on severity, typically within 2 weeks for critical issues
Muxi handles SSH connections and credentials. Key security areas:
- All passwords and private keys are stored in the iOS Keychain
- Never stored in SwiftData, UserDefaults, or plain files
- Never logged, even at debug level
- All user input passed to SSH commands must use
shellEscaped() - Raw string interpolation into shell commands is prohibited
- See CONTRIBUTING.md for code style requirements
- SSH connections use libssh2 with standard key exchange algorithms
- No custom cryptography implementations