Home / Security

Security policy

LocalEmu runs locally and stores no remote telemetry, but the codebase is sizeable and handles untrusted data through several services. If you find something that looks like a security issue, we want to hear about it.

Responsible disclosure

Email security@localemu.cloud (fallback: info@localemu.cloud). Please do not file a public GitHub issue for suspected vulnerabilities until we have had a chance to investigate and ship a fix.

Include in the report:

• • A short summary of the issue and the affected service or component.
• • A repro that can be run against a clean LocalEmu install.
• • The LocalEmu version (localemu --version) and platform.
• • A suggested CVSS rating if you have one (we will assess regardless).

SLA

• • Acknowledgement: within 5 business days of receipt.
• • Initial triage: within 10 business days.
• • Fix or mitigation: target 30 days for high-severity issues; longer for lower-severity items if a workaround exists.

Scope

In scope. The LocalEmu codebase (github.com/localemu/localemu), the awsemu CLI, the website, and shipped examples (github.com/localemu/localemu-examples).

Out of scope. Issues in third-party software LocalEmu integrates with (Docker, k3d, Postgres, MySQL, Moto). Please report those upstream.

No bounty program (yet)

We do not currently run a paid bounty program. We do credit researchers in release notes and the changelog (with permission) and we are happy to write public acknowledgement letters for CVEs.