Do NOT open public issues for security bugs.

• Preferred: GitHub Security Advisory — https://github.com/biglinux/biglinux-webapps/security/advisories/new
• Backup: email security@biglinux.com.br (PGP key on keys.openpgp.org, fingerprint TBD)

Include: affected version, reproduction steps, impact, suggested fix (optional).

• WebView sandbox flags (no host filesystem access, no node integration)
• Per-app profile dir isolation (cookies, storage, cache scoped per webapp)
• URL validation against allowlist scheme (https://, no file://, no javascript:)
• Atomic JSON profile/state write via tmp-file + rename (crash-mid-rename safe; crates/webapps-viewer/src/window/permissions/mod.rs, crates/webapps-manager/src/service/repository.rs)
• Icon download path canonicalization (no traversal into XDG dirs)
• Subprocess argv terminator on launcher invocations

• Bugs reproducible only with non-default debug builds (RUSTFLAGS=-C debug-assertions)
• Issues in third-party deps without exploitable path through this code (report upstream)
• Self-XSS, social engineering
• DoS via resource exhaustion below documented limits (see INVARIANTS.md budgets)

Coordinated. CVE requested when applicable. Credit in CHANGELOG + release notes. 90-day default embargo unless severity dictates faster public.

See INVARIANTS.md for the enforced contract (subprocess argv, path canonicalization, FFI lifetimes, etc.).