| Version | Supported |
|---|---|
| 2.x | Yes |
| 1.x | No |
We take security seriously at Voco. If you discover a security vulnerability, please report it responsibly.
- Email: Send details to security@voco.ai
- Do NOT open a public GitHub issue for security vulnerabilities
- Include as much detail as possible:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Resolution Target: Within 30 days for critical issues
- We will acknowledge receipt of your report
- We will investigate and validate the issue
- We will work on a fix and coordinate disclosure
- We will credit you in our security advisories (unless you prefer anonymity)
Voco is built with a zero-trust architecture:
- No Direct File Access: The AI engine (Python) has zero direct access to your filesystem. All file operations go through the Tauri Rust backend with path validation.
- Human-in-the-Loop: High-risk commands (git push, database mutations) require explicit user approval before execution.
- Sandboxed Execution: All terminal commands run in a scoped sandbox with filesystem boundaries enforced by Tauri's fs_scope.
- Local-First: Your source code never leaves your machine. Voice audio is streamed to Deepgram for transcription only.
The following are in scope for security reports:
- Path traversal in the MCP Gateway
- Bypass of Human-in-the-Loop approval
- WebSocket injection or manipulation
- Authentication/authorization flaws
- Data exposure or leakage
- Denial of service attacks
- Social engineering
- Issues in third-party dependencies (report to the upstream project)