Security
How to verify a download is legitimate, and how to report a vulnerability.
Verify your download
There's no build available to download yet, so there's no checksum to verify. Once a real macOS build ships, its SHA256 checksum will be published on the Download page, and this page will show the exact command to verify it.
Gatekeeper warnings
Early PortableRAG builds are not notarized by Apple, so macOS will warn that the app is from an unidentified developer when one becomes available. That's expected for an early access build — signed, notarized builds are planned before a wider public launch.
Report a vulnerability
If you believe you've found a security issue, please report it privately via the Contact page. Please don't open a public issue or disclose it publicly until it's been resolved.
- What to include: steps to reproduce, affected URL or component, and impact. A proof-of-concept helps.
- Response time: I aim to acknowledge reports within 3 business days and to keep you updated as I work on a fix.
- Scope: this website (the marketing site, waitlist, and admin panel) and, once released, the PortableRAG desktop app. Third-party services the site relies on are out of scope — report those to the provider.
- Supported versions: there is no public release yet, so reports should target the current website. Once builds ship, only the latest release will receive security fixes during early access.
- Safe harbor:I won't pursue or support legal action against good-faith research that respects this policy, avoids privacy violations and service disruption, and gives me reasonable time to remediate before any public disclosure.
Machine-readable policy
A security.txt file (RFC 9116) is published with the current security contact and this policy link.