Termif is pre-1.0 software. Security fixes target the current main branch and the latest published GitHub Release.

Please do not open public issues for suspected vulnerabilities involving SSH credentials, host-key verification, arbitrary file access, update signing, or release artifact integrity.

Report privately through GitHub Security Advisories for this repository. Include:

• affected version or commit;
• operating system;
• reproduction steps;
• expected impact;
• any relevant logs with secrets removed.

• Acknowledgement: within 5 business days.
• Initial assessment: within 10 business days.
• Fix or mitigation plan: communicated once severity is confirmed.
• Coordinated disclosure: we will agree on a disclosure date with the reporter and credit you in the advisory unless you prefer to remain anonymous.

Please give us a reasonable opportunity to remediate before any public disclosure.

Termif must not log passwords, private keys, passphrases, SSH payloads, or updater signing material. Reports and test cases should use disposable hosts and throwaway credentials.

Termif is local-first. Backend-owned JSON files are stored in the Tauri app data directory for the current user:

• settings.json stores appearance, terminal, SSH, file manager, hotkey, and status bar settings.
• hosts.json stores managed SSH hosts, groups, and import overrides for ~/.ssh/config.
• ui_state.json stores tab presentation metadata, active tab id, sidebar state, and selected sidebar tool.

Frontend snippets are currently stored in browser/WebView localStorage under termif.snippets.v1. Bounded per-tab terminal scrollback snapshots are stored in localStorage under termif.terminal.log.*. These logs are for UI restoration, not audit logging.

Imported SSH hosts are read from the user's standard ~/.ssh/config; Termif does not copy private keys into its own store. Managed host entries can currently include an optional password in hosts.json. That is a known sensitive-data risk and should only be used with disposable or low-risk hosts until encrypted secret storage/keychain integration lands.

Termif has a ssh.strict_host_key_checking setting and host-key trust UI, but host-key enforcement is still a hardening area. Do not treat current host-key behavior as equivalent to OpenSSH's mature known_hosts model yet.

Host-key checking is enabled by default. With it enabled, unknown host keys are recorded on first use (TOFU) into ~/.ssh/known_hosts and a changed key is rejected. Disabling ssh.strict_host_key_checking accepts any presented key and removes protection against man-in-the-middle attacks — only disable it on trusted networks for hosts you control.

Termif opens exactly one category of external link: clicking the GitHub entry hands a URL to the OS default browser. The backend open_external_url command only accepts https:// URLs restricted to the standard URL character set, and never routes through a shell, so it cannot be used as a generic command or file launcher.

Termif should not log passwords, private keys, passphrases, updater signing keys, or full SSH payloads. The app may surface command stderr, connection errors, file operation errors, and bounded terminal scrollback for local UI restoration.

The Rust backend owns SSH transport, local filesystem operations, settings persistence, and update integration. Frontend code should not introduce new persistence or execution paths that bypass backend validation.

• Move managed host passwords to OS keychain/credential vault storage or remove password persistence.
• Align strict host-key checking with a durable known-hosts model and clear first-use/update prompts.
• Reduce Tauri asset protocol scope once background image/file-preview requirements are narrower.
• Add Windows code signing and macOS Developer ID signing/notarization.
• Add release provenance/attestation beyond checksum files.