Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in Crow, please report it by emailing security@radiusmethod.com. Include as much detail as possible:
- A description of the vulnerability
- Steps to reproduce the issue
- Affected components and potential impact
- The Crow macOS application
- The
crowCLI - IPC socket protocol and internal packages
The following components are maintained by other projects. Please report vulnerabilities directly to them:
- Ghostty terminal — ghostty-org/ghostty
- Claude Code — Anthropic
- GitHub CLI (
gh) / GitLab CLI (glab) — Their respective maintainers
We ask that you practice responsible disclosure:
- Allow us reasonable time to investigate and address the issue before any public disclosure
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption during your research
- Do not publicly disclose the vulnerability until a fix has been released or 90 days have passed since your initial report, whichever comes first