Please report security issues privately to hello@alexradu.net (subject: “Balaur security”). Do not open a public issue for vulnerabilities.
We aim to acknowledge within 72 hours and to agree a disclosure timeline with you. Please allow reasonable time for a fix before public disclosure — we’re glad to credit you.
Balaur handles sensitive personal data (journal, health, messages). High-value reports:
.env, provider API keys, OAuth tokens, local runtime credentialsDuring early development, only the latest main is supported.