Skip to content

Security: LikeACloud7/transpaper

SECURITY.md

Security policy

Supported versions

Security fixes are applied to the latest commit on main. Older commits and unofficial forks are not maintained by this project.

Reporting a vulnerability

Please use Report a vulnerability in the repository's GitHub Security tab when private vulnerability reporting is available. Do not publish secrets, private paper contents, or a working exploit in a public issue.

If private reporting is unavailable, open a minimal public issue asking the maintainer for a private contact channel. Include no sensitive reproduction data in that issue.

Data and trust boundaries

  • Transpaper is not an offline translator. It sends extracted paper text and selected page-render images to OpenAI through either the logged-in Codex CLI or the optional OpenAI API mode.
  • Codex calls run with an ephemeral session, a temporary working directory, ignored user rules, and a read-only sandbox. The process receives the translation prompt plus the paper content and review images required by the pipeline.
  • Local artifacts can contain the original text, translated text, page images, QA output, and document metadata. They are stored beside the result in a hidden .<name>.ko.transpaper/ directory.
  • The web UI binds to 127.0.0.1 and disables Gradio sharing by default. Do not alter those defaults on a machine or network you do not trust.
  • PDFs are untrusted input parsed by PyMuPDF. Keep Transpaper and its dependencies updated, and process sensitive files only on a trusted machine.

Review OpenAI's current data controls and your account or workspace policy before translating confidential or regulated documents.

There aren't any published security advisories