Open AAC is committed to protecting user privacy and data ownership. Because this project supports people who rely on AAC for communication, security and responsible disclosure are especially important.

At this time, security updates apply to the latest version on the main branch.

If you discover a security or privacy vulnerability, please do not open a public GitHub issue.

Instead, report it privately by contacting:

• Maintainer contact: <your-email-or-github-handle>

(Replace this before publishing.)

Please include:

• A description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact (e.g., data exposure, loss of access)
• Any relevant screenshots or logs (avoid sensitive user data)

We will acknowledge receipt as soon as possible and work with you on a fix.

Open AAC follows these guiding principles:

• Local-first by default — data is stored on the user’s device unless they explicitly opt into sync features.
• User ownership — users should be able to export, back up, and delete their data at any time.
• Minimal data collection — no analytics, tracking, or telemetry by default.
• Transparency — any future cloud or analytics features must be opt-in and documented clearly.

We ask security researchers to:

• Give us reasonable time to address issues before public disclosure.
• Avoid accessing or modifying user data beyond what is necessary to demonstrate the issue.
• Act in good faith to improve the safety of the project.

Security issues may include (but are not limited to):

• Data leakage or unintended data persistence
• Cross-site scripting (XSS) or injection issues
• Insecure storage of user-generated content
• Unauthorized access to boards, voices, or settings
• Privacy violations or unexpected data transmission

Thank you for helping keep Open AAC safe.

🔔 Important: Replace <your-email-or-github-handle> in SECURITY.md before committing.