GingerMailGingerMail
← Back to GingerMail

Security policy

We take security seriously because GingerMail handles email — the most sensitive workflow most people have on their computer.

How to report a vulnerability

Please do not file public GitHub issues for security bugs. Email security@gingermail.app with a description and reproduction steps, the version you tested, your OS and version, and whether the bug needs user interaction.

What to expect

  • We acknowledge new reports within 2 business days.
  • We aim to ship a fix within 30 days for High/Critical issues.
  • We credit reporters in the release notes unless you ask us not to.
  • We do not currently run a paid bounty program.

In scope

  • The desktop application (macOS + Windows).
  • The auto-update channel.
  • Anything in the repository, including build scripts and CI.

Out of scope

  • Third-party mail providers (report to Google/Microsoft/Apple).
  • Third-party AI vendors (report to OpenAI/Anthropic/Google).
  • Self-hosted Ollama (report upstream).
  • Findings that require physical access to an unlocked device.
  • Findings that require local-admin / root privileges.

Hardening already in place (v1.0)

  • At-rest DB encryption with SQLCipher; key stored in the OS keychain.
  • Secret-scrubbing logger that strips tokens and credentials before anything is written.
  • Renderer hardening with a strict content-security policy and navigation guards.
  • Mail-body iframe lockdown— sandboxed with no allow tokens and a default-src 'none' CSP.
  • OAuth with PKCE and a per-attempt state nonce.
  • AI egress allowlist so cloud calls can only reach the vendor you picked.
  • Validated IPC with a sender guard and schema checks on high-impact channels.
  • Opt-in auto-updater with a kill-switch and no silent downgrades.

For the full disclosure surface, see our .well-known/security.txt entry point in the app repository.