MagicMirror is primarily intended for trusted local/private network environments. Direct public exposure to the internet or other untrusted networks is not recommended.
We take security seriously and encourage responsible disclosure of vulnerabilities to help us improve the software.
Please keep vulnerability details private — do not post them in public GitHub issues.
Instead, reach out privately via the MagicMirror forum to one of the core developers:
Please include, if possible:
- Affected version(s)
- Reproduction steps or proof-of-concept
- What could an attacker do with this?
- Any ideas how to fix it?
We will keep reported vulnerabilities private until a fix is available and coordinate the disclosure timeline with you. We aim to respond as quickly as possible.