Security

Reporting a vulnerability

If you've found a security issue in Makakoo OS, please report it privately. We treat security reports as priority work.

Please do not open a public GitHub issue for security problems before they're fixed.

What to include

• Affected version or commit hash
• Reproduction steps (smallest possible)
• Impact: what an attacker can do
• Suggested fix, if any

Response

We aim to acknowledge reports within 72 hours and to publish a fix or mitigation as quickly as the severity warrants. We will credit you in the advisory unless you request anonymity.

Scope

• The makakoo CLI and makakoo-mcp binary
• Bundled adapters and the kernel under github.com/makakoo/makakoo-os
• Install scripts served from makakoo.com/install, makakoo.com/install.sh, and makakoo.com/install.ps1

Out of scope: third-party plugins not vendored in this repo, your local LLM provider's API, Netlify infrastructure (report to Netlify).

Threat model (short)

Makakoo OS runs locally with the user's own credentials. It does not phone home, has no telemetry, and uses no third-party services it didn't get told about. Sandboxing for plugin execution and write-permission grants are documented in the repository — security claims should be evaluated against the source, not against marketing copy.

Verifying installs

Each release publishes per-asset .sha256 files alongside the archives at github.com/makakoo/makakoo-os/releases. The Homebrew formula at traylinx/homebrew-tap pins exact SHA-256 hashes per platform.

Sigstore build provenance attestations are planned for the next release line. Until then, verify the published hashes and the release workflow provenance in GitHub Actions.