We release patches for security vulnerabilities for the following versions:
| Version | Supported |
|---|---|
| 1.x.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in xBrew, please report it by emailing security@xdev.asia.
Please do not report security vulnerabilities through public GitHub issues.
- Type of vulnerability
- Full paths of source file(s) related to the manifestation of the vulnerability
- The location of the affected source code (tag/branch/commit or direct URL)
- Any special configuration required to reproduce the issue
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the issue, including how an attacker might exploit it
- We will acknowledge receipt of your vulnerability report within 48 hours
- We will send you regular updates about our progress
- We will notify you when the vulnerability is fixed
- We may ask for additional information or guidance
When using xBrew:
- Keep the app updated to the latest version
- Review permissions granted to the app in System Settings
- Be cautious when adding third-party taps
- Verify package sources before installation
- Report any suspicious behavior immediately
xBrew runs in a sandboxed environment with limited system access:
- Read/write access to
/opt/homebrew/and/usr/local/(Homebrew directories only) - Network access for downloading packages
- iCloud access for Brewfile sync (optional)
All permissions are declared in xBrew.entitlements.
This repository uses:
- CodeQL for automated vulnerability scanning
- Dependabot for dependency updates
- GitHub Security Advisories for coordinated disclosure
For security concerns: security@xdev.asia
For general issues: GitHub Issues