This repository follows the Beeping Platform security policy defined in
beeping-io/beeping-meta. Read it first.
Do NOT open a public GitHub issue for security vulnerabilities. Follow the disclosure process documented in beeping-meta SECURITY.md (private email + GPG-encrypted reports).
Expected response window: 72 hours to first acknowledgement.
Security-relevant surfaces of beeping-ios:
- ποΈ Microphone audio capture (
NSMicrophoneUsageDescriptionin consumer's Info.plist). The SDK requests permission lazily on firstlisten()call. Audio is never persisted β frames flow through the decoder and are discarded. - π Optional HTTP communication with
beepbox-serverin Cloud mode (.cloud(apiKey:endpoint:)). API key auth, TLS 1.2+ required. - π ObjC++ bridge to native
libbeepingcore(XCFramework). Native libs are consumed from signed releases ofbeeping-io/beeping-core(post-BEE-79); current legacy state has them vendored aslibBeepingCoreUniversal.ain the repo. - π
PrivacyInfo.xcprivacywith declared API reasons (post-BEE-69, Apple mandate). - π No PII in logs. Telemetry is opt-out by default and audited for privacy in BEE-75.
- Server-side validation, rate limiting, infrastructure β tracked in
beepboxandbeeping-metaterraform. - Client-side cryptography of payloads (none today; payloads are clear-text short identifiers β applications layering crypto on top must do so themselves).
| Version | Supported |
|---|---|
0.x (any) |
β best-effort, no SLA (early development) |
A formal security SLA starts at 1.0.0 (post-Phase 21).
- Beeping Platform security policy
beeping-corereleases β source of native binaries (XCFramework)