Mac Clean deletes files on your Mac and runs a privileged XPC helper, so security matters more here than for most apps.

Please do not open public GitHub issues for security vulnerabilities.

Report them privately via GitHub's Private Vulnerability Reporting:

1. Open the Security tab on the repository
2. Click Report a vulnerability
3. Include: the affected file or feature, reproduction steps, expected vs actual behavior, and a suggested fix if you have one

Expect an initial response within 72 hours. Issues that risk data loss get same-day attention.

Only the latest release on main is supported. Please upgrade rather than asking for backports.

Reports about the following areas get priority:

• Sources/MacClean/Core/Cleaner/SafetyGuard.swift — bypasses of the protected-paths blocklist, the 10,000-file cap, or the symlink TOCTOU re-resolution
• Sources/MacClean/Core/Cleaner/CleaningEngine.swift — anything that causes data loss outside the intended scan results
• Sources/MacCleanHelper/ — unauthorized callers reaching the privileged XPC helper, privilege escalation, or arbitrary command execution via the helper
• Sources/MacClean/Services/XPCClient.swift — code-signature validation bypass on either side of the XPC connection
• Network exfiltration — Mac Clean makes zero network calls by design; report any network activity you observe
• TCC / Full Disk Access — any path to silently gain or abuse FDA

• Mac Clean not being Apple-notarized — intentional design choice, see the README
• Gatekeeper warnings on first launch via DMG — expected behavior
• General macOS bugs not specific to Mac Clean

• Give us a reasonable window to fix before public disclosure: 14 days for non-critical issues, immediate coordination for anything that risks user data
• Don't test against other people's machines
• Don't pivot from a found vulnerability to access user data

• Credit in the release notes (or stay anonymous if you prefer)
• Acknowledgment in this file for significant findings
• Our genuine thanks — Mac Clean is safer because of you

Mac Clean is ad-hoc signed (not Apple-notarized — see the README for why). To verify a release DMG corresponds to the source you reviewed, build it yourself:

git clone https://github.com/iliyami/MacClean.git
cd MacClean
git checkout v1.0.0   # or whichever release
bash scripts/build-dmg.sh

The DMG isn't bit-reproducible (ad-hoc signatures embed random nonces), but the source-to-binary build is straightforward and the behavior should match.

None yet. Will be linked here when applicable.