If you discover a security vulnerability in Extudio, please report it responsibly.

Email: security@extudio.dev

Please include:

• A description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.

• The Extudio application and its Vite plugins
• Dependencies directly used by Extudio

• Third-party services (X/Twitter API, Claude CLI, Gemini API)
• Issues in upstream dependencies (please report those to the respective maintainers)

• API Keys — CLI mode: Keys for X_CLIENT_ID/SECRET, OPENAI_API_KEY, and GEMINI_API_KEY live in your local .env file and are read only by the Vite dev-server plugins. They never reach the browser.
• API Keys — in-app (Settings → API mode): Keys entered through the Settings UI for Anthropic, OpenAI, OpenRouter, DeepSeek, xAI, and Perplexity are persisted to localStorage in plaintext so the browser can forward them to the proxy plugin on each request. This is convenient for single-user local installs but means:
  • Any XSS in the app or a malicious browser extension can read them.
  • They survive across reloads — if you share the machine, clear them in Settings → Data.
  • For stricter setups, prefer CLI mode (claude, codex, gemini CLIs) or add the key to .env and leave the in-app field blank.
• Gemini key in URL: The Gemini API requires the key as a URL query parameter per their API design — this is expected behavior.
• SSRF Protection: The brand scraper validates URLs and resolves DNS to block private IP ranges before fetching.
• Local-only: Extudio runs entirely on your local machine. There is no hosted backend or shared infrastructure.