Only the latest release receives security fixes.

Please report vulnerabilities privately through GitHub Security Advisories rather than opening a public issue. Include reproduction steps and the affected version. You can expect an initial response within a week.

• MacSteamPort runs shell commands (Wine, Steam, Homebrew installs) on the user's behalf. Anything that lets a crafted Steam manifest, game profile JSON, or process name inject unintended commands is in scope and treated as high severity.
• The app never reads or stores Steam credentials. The support summary and logs are designed to omit passwords, full local paths, and raw process command lines — a report showing personal data leaking into those outputs is in scope.
• Issues in upstream components (Wine, GPTK, Steam itself) should be reported upstream.