Reporting a Vulnerability
Do not open a public GitHub issue for a security vulnerability. Report privately via one of:
- Email:
security@miton.dev(PGP key on request) - GitHub Security Advisories: use the "Security" tab on the repository.
We aim to acknowledge reports within 72 hours. We will work with you to understand the issue, develop a fix, and coordinate a public disclosure.
Supported Versions
0.x(current pre-release) — supported< 0.1.0— not supported
Once 1.0.0 is released, the supported version
policy will be:
- The latest MINOR release (e.g.
1.4.x). - The previous MINOR release for 90 days after a new MINOR ships.
What Miton does (and doesn't) collect
Miton is a native desktop app. By default, the app does not transmit your code, your chat, your files, or your model keys off your machine. The model layer, the chat surface, the codebase search, the file system, and the workflow daemon all run locally.
Specifically, Miton does not:
- Read or transmit your project files.
- Read or transmit your chat history.
- Read or transmit your model keys.
- Run a cloud agent that executes your work on a vendor VM.
- Send analytics, telemetry, or crash reports by default.
Outbound network calls are made only when the user explicitly configures a model provider, an integration, or a workflow trigger. In every case, the call is made to a user-configured endpoint, with a user-provided key, and is visible in the activity tree.
Cryptographic posture
Model keys are stored in the OS keychain via the Miton Vault package. They never appear in plaintext logs, never leave the device, and are wiped on uninstall.
The bundled Tauri shell uses standard sandboxing. Tauri
commands are limited to filesystem, shell, search, and MCP
operations; the full allow-list is in
apps/desktop/src-tauri/tauri.conf.json.
Acknowledgements
We credit reporters who follow responsible disclosure. With your permission, we will list your name in the release notes for the version that fixes the issue.