Report a vulnerability
Email security@builderking.io. Please don't post suspected vulnerabilities publicly before we've had a chance to respond.
Include the app version, macOS version, target application, reproducible steps using synthetic text, expected and actual behavior, impact, and any known workaround. Never include real passwords, tokens, prompts, client data, clipboard contents, Keychain exports, or a Koru vault database.
The security baseline
- Content encrypted at rest with a non-synchronizing Keychain key.
- Secure-field suppression and per-app exclusions that fail closed.
- No raw-keystroke persistence and no content-bearing diagnostics.
- Bounded, opt-in clipboard retention.
- Explicit insertion and explicit selection saving — nothing automatic.
- Signed and notarized release artifacts.
Diagnostics without your content
Support bundles are created only after an explicit action, previewed locally, and editable before you share them. They contain version, permission, and health information — never saved content, clipboard payloads, queries, file paths, or keys. Nothing is ever uploaded automatically.
Related reading
See the privacy model for data boundaries, retention, and deletion behavior.