We take security seriously at EyeBreak. If you discover a security vulnerability, please follow these steps:

DO NOT open a public issue for security vulnerabilities.

Instead:

1. Email: Send details to [email protected] with the subject "EyeBreak Security Vulnerability"
2. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)
   • Your contact information

• Acknowledgment: We'll acknowledge your report within 48 hours
• Updates: We'll keep you informed about our progress
• Fix: We'll work on a fix and release a patch as soon as possible
• Credit: We'll credit you in the release notes (unless you prefer to remain anonymous)

Security issues we're interested in:

• Privacy violations: Data leaking outside the app
• Privilege escalation: Unauthorized access to system resources
• Code injection: Ability to execute arbitrary code
• Permission bypasses: Circumventing macOS security features

• Issues requiring physical access to an unlocked device
• Social engineering attacks
• Issues in third-party dependencies (report to the dependency maintainers)

EyeBreak follows these security practices:

• ✅ All data stored locally using UserDefaults
• ✅ No network requests or data transmission
• ✅ No analytics or telemetry
• ✅ No third-party SDKs or dependencies

• ✅ App Sandbox enabled
• ✅ Hardened Runtime enabled
• ✅ Code signing required
• ✅ Proper entitlements for screen recording
• ✅ User permission requests for all privileged operations

• ✅ Swift's memory safety features
• ✅ No use of unsafe pointers (except in IdleDetector with IOKit)
• ✅ Input validation where applicable
• ✅ Secure coding practices

The app requests only necessary permissions:

• Screen Recording: Required only for screen blur feature
• Notifications: Optional, for break reminders

Users can deny permissions and the app gracefully degrades functionality.

• Security vulnerabilities will be disclosed after a fix is available
• We'll publish a security advisory with details of:
  • The vulnerability
  • Affected versions
  • The fix
  • Credit to the reporter
• Critical vulnerabilities will be fixed within 7 days
• Non-critical vulnerabilities will be fixed in the next release

When contributing code, please ensure:

• No hardcoded secrets or credentials
• No unnecessary permissions requested
• Input validation for user-provided data
• Proper error handling
• No use of deprecated APIs
• Follow Swift security best practices
• Test permission denial scenarios

• Apple Platform Security
• macOS Security Compliance
• Swift Security Guide

For non-security issues, please use GitHub Issues.

For security issues, email: [[email protected]]

Thank you for helping keep EyeBreak secure! 🔒✨